Tuesday, December 11, 2012

A busy Patch Tuesday this December

I'm back after a long hiatus, mostly for family reasons.  Should be blogging here more often.

What a busy Tuesday:  Microsoft had a BIG Patch Tuesday compounded by Adobe's Patch Tuesday and Oracle's Patch Tuesday all at once.  There are security patches for the Adobe Flash Players and Adobe AIR.  Oracle issued a security-enhancing patch for Java JRE 7.  There is an update for Java JRE 6, but it does not fix any security issues.

The SANS Diary entry for Microsoft lists many of the items, including an IE patch and a patch for Microsoft Word, as CRITICAL*, so you shouldn't delay patching past Friday if you use IE or Word.
  • * Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Articles on Microsoft's Patch Tuesday:
  • It’s That Time of Year, For the December 2012 Bulletin Release - MSRC - Site Home - TechNet Blogs
    ... today we’re releasing seven bulletins, five Critical-class and two Important-class, addressing 12 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following two critical updates first: ....
  • Microsoft fixes critical Windows 8, IE10 flaws for Patch Tuesday | ZDNet
    Summary: Put a pot of coffee on, it's Patch Tuesday. Microsoft today released five critical patches that fix vulnerabilities in Windows 8 devices, including Surface tablets, and Internet Explorer 10.

    Microsoft has released five critical security updates for Windows 8 and Windows RT in order to protect against a range of vulnerabilities identified in the recently released software.

    All in all, there are seven updates for Windows users, with five rated "critical" that could lead to remote code execution, while two are rated "important," which fix flaws that could result in the operating system's security features being bypassed.

  • Critical Updates for Flash Player, Microsoft Windows — Krebs on Security

    Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software. Separately, Adobe pushed out a fix for its Flash Player and AIR software that address at least three critical vulnerabilities in these programs.

    A majority of the bugs quashed in Microsoft’s patch batch are critical security holes, meaning that malware or miscreants could exploit them to seize control over vulnerable systems with little or no help from users. Among the critical patches is an update for Internet Explorer versions 9 and 10 (Redmond says these flaws are not present in earlier versions of IE).


Articles on Adobe's Patches: (Note: the Krebs-on-Security article referenced above also discusses this)
Security updates available for Adobe Flash Player
Release date: December 11, 2012

Summary

Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:


  • Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
  • Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
  • [ .... ]
  • Users of Adobe AIR 3.5.0.600 and earlier versions for Windows should update to Adobe AIR 3.5.0.880.
  • Users of Adobe AIR 3.5.0.600 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.890.

    Affected software versions


  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)

    To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page,
    or right-click on content running in Flash Player and select "About
    Adobe (or Macromedia) Flash Player" from the menu. If you use multiple
    browsers and did not select the option to 'Allow Adobe to install
    updates' (Windows and Macintosh only), perform the check for each
    browser you have installed on your system.


    To verify the version of Adobe Flash Player for Android, go
    to Settings > Applications > Manage Applications > Adobe Flash
    Player x.x.


    To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.

Articles on Oracle's Java Patches are few as of this writing, all I have managed to find is the download page for Java.  There are links to the "Release Notes" pages for Java 6 and 7 on the download page:
  • Java SE Downloads
    Java SE 7u10
    This releases brings in key security features and bug fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release.