PATCH DAY: Both Adobe and Microsoft Patches are Critical Today
This month’s big patch day brings ‘critical’ updates from both Adobe and Microsoft.
Adobe Patches Flash and Reader
Adobe pushed out a critical update to plug 52+ bug in Flash Player an update to patch in Adobe Reader. Separately, Microsoft released 11 security updates.
Firstly, if you have Adobe Flash Player installed and haven’t yet disabled auto-run in this insecure program so that it runs only when you want it to, you’re playing with fire!
It’s so bad that hackers are constantly finding and exploiting zero-day flaws in Flash Player before Adobe even knows about the bugs.
The bigger concern is that Flash is such powerful program running inside your browser, that users can compromise their computer simply by browsing to a hacked or malicious website that targets unpatched Flash flaws. The flash code runs and the machine is compromised – automatically and without further approval or clicks needed by the website user.
If you choose to update, please do it TODAY. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart.
Adobe’s advisory on the Flash flaws is here.
Microsoft Critical Updates
Six of the 11 patches Microsoft issued recently have earned the “critical” rating, which Microsoft assigns to software bugs that can be exploited to remotely control vulnerable machines with little to no help from end-users, except perhaps simply browsing to a hacked or malicious website.
Most of the vulnerabilities Microsoft fixed this Patch Tuesday are in the company’s Web browsers — i.e., Internet Explorer (15 vulnerabilities and even the newer Edge browser (13 flaws). Both patches address numerous browse-and-get-owned issues.
Another critical patch from Microsoft tackles multiple problems in Microsoft Office which can be exploited through poisoned Office documents. Again, just opening a document that is malicious can result in your whole computer being compromised.
For further information about these patches from Adobe and Microsoft, read these blog posts from security vendors Qualys and Shavlik.