What a busy Tuesday: Microsoft had a BIG Patch Tuesday compounded by Adobe's Patch Tuesday and Oracle's Patch Tuesday all at once. There are security patches for the Adobe Flash Players and Adobe AIR. Oracle issued a security-enhancing patch for Java JRE 7. There is an update for Java JRE 6, but it does not fix any security issues.
The SANS Diary entry for Microsoft lists many of the items, including an IE patch and a patch for Microsoft Word, as CRITICAL*, so you shouldn't delay patching past Friday if you use IE or Word.
- * Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- ISC Diary | Microsoft December 2012 Black Tuesday Update - Overview
Overview of the December 2012 Microsoft patches and their status.
- It’s That Time of Year, For the December 2012 Bulletin Release - MSRC - Site Home - TechNet Blogs
... today we’re releasing seven bulletins, five Critical-class and two Important-class, addressing 12 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following two critical updates first: ....
- Microsoft fixes critical Windows 8, IE10 flaws for Patch Tuesday | ZDNet
Summary: Put a pot of coffee on, it's Patch Tuesday. Microsoft today released five critical patches that fix vulnerabilities in Windows 8 devices, including Surface tablets, and Internet Explorer 10.
Microsoft has released five critical security updates for Windows 8 and Windows RT in order to protect against a range of vulnerabilities identified in the recently released software.
All in all, there are seven updates for Windows users, with five rated "critical" that could lead to remote code execution, while two are rated "important," which fix flaws that could result in the operating system's security features being bypassed.
- Critical Updates for Flash Player, Microsoft Windows — Krebs on Security
Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software. Separately, Adobe pushed out a fix for its Flash Player and AIR software that address at least three critical vulnerabilities in these programs.
A majority of the bugs quashed in Microsoft’s patch batch are critical security holes, meaning that malware or miscreants could exploit them to seize control over vulnerable systems with little or no help from users. Among the critical patches is an update for Internet Explorer versions 9 and 10 (Redmond says these flaws are not present in earlier versions of IE).
Articles on Adobe's Patches: (Note: the Krebs-on-Security article referenced above also discusses this)
- Adobe Security Bulletins Posted « Adobe Product Security Incident Response Team (PSIRT) Blog
Today, we released the following Security Bulletins:
- APSB12-26 – Security update: Hotfix available for ColdFusion 10 and earlier
- APSB12-27 – Security updates available for Adobe Flash Player
Customers of the affected products should consult the relevant Security Bulletin(s) for details.
- Adobe - Security Bulletins: APSB12-27 - Security updates available for Adobe Flash Player
Security updates available for Adobe Flash Player
Release date: December 11, 2012
Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 188.8.131.52 and earlier versions for Linux, Adobe Flash Player 184.108.40.206 and earlier versions for Android 4.x, and Adobe Flash Player 220.127.116.11 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
- Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
- [ .... ]
- Users of Adobe AIR 18.104.22.1680 and earlier versions for Windows should update to Adobe AIR 22.214.171.1240.
- Users of Adobe AIR 126.96.36.1990 and earlier versions for Macintosh should update to Adobe AIR 188.8.131.520.
Affected software versions
- Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
- Adobe Flash Player 184.108.40.206 and earlier versions for Linux
- Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x
- Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x
- Adobe AIR 22.214.171.1240 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page,
or right-click on content running in Flash Player and select "About
Adobe (or Macromedia) Flash Player" from the menu. If you use multiple
browsers and did not select the option to 'Allow Adobe to install
updates' (Windows and Macintosh only), perform the check for each
browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go
to Settings > Applications > Manage Applications > Adobe Flash
To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.
Articles on Oracle's Java Patches are few as of this writing, all I have managed to find is the download page for Java. There are links to the "Release Notes" pages for Java 6 and 7 on the download page:
- Java SE Downloads
Java SE 7u10
This releases brings in key security features and bug fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release.