Adobe releases its own Patch Tuesday security updates

Adobe’s fixed, among other things, a Flash Player flaw attackers have already exploited to break into Windows machines.

Microsoft gets most of the attention the second Tuesday of each month because of its security updates, but yesterday was also significant for the security patches Adobe released -- including one for a Flash Player flaw attackers have already exploited to break into machines running Windows.

Adobe's bulletin for Flash says the following:

These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document.

The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. Adobe recommends users update their product installations to the latest versions: Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271. Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238. Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79.

Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux operating systems are affected.

Another update is for Adobe Shockwave Player. That bulletin says:

Adobe has released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.5.635 and earlier versions update to Adobe Shockwave Player 11.6.6.636 using the instructions provided in the "Solution" section below. \

AFFECTED SOFTWARE VERSIONS: Adobe Shockwave Player 11.6.5.635 and earlier versions for Windows and Macintosh

Adobe also released a fix for Reader and Acrobat. From that bulletin:

Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions: Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4). For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2. Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh should update to Adobe Acrobat X (10.1.4). Users of Adobe Acrobat 9.5.1 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.2.

AFFECTED SOFTWARE VERSIONS Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Macintosh Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Macintosh 

In a recent interview, Brad Arkin -- Adobe's senior director of  security, standards, open source, and accessibility -- told me one of the company's big efforts is to get more customers to use the most recent versions of these programs. To that end, Arkin has focused on automatic updates that download in the background, so the user doesn't have to be bothered with it.

"We've been putting a lot of incremental improvements into Reader but adoption wasn’t as high as we needed it to be," he said. "In April 2010 we turned on our auto-updater and that's increased deployment significantly. In June 2011 we changed the default setting from semi-auto to silent auto. Users need the update but if asked they won’t want to be bothered. So the goal was to make it so they wouldn’t have to be bothered."

He added: "The bad guys attacked Flash a lot in 2010-11. The security update response time for Flash is now an average of 5 days. We are adapting the Reader auto update strategy to Flash player, but it's a little more difficult because of the different ways Flash communicates with the different browsers. We can’t do this just once like we could with Reader."

Join the discussion
Be the first to comment on this article. Our Commenting Policies