Microsoft and Adobe have issued their round of updates today, as of 1 PM EST. The below details what was fixed.
First, Microsoft…Five of the 12 patches Microsoft released today earned “critical” acclaim. This means that attackers could exploit such vulnerabilities at any time.
Some of the vulnerabilities include: Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining (critical) patch fixes a flaw only on Windows XP systems.
In today’s update, a patch for .NET may be included. This should be installed separately for best results. Install all other updates, and then do the .NET patch. This seems to be the best plan.
Adobe fixes Flash and Shockwave Players:
APSB13-05 tells about the fixes for CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638 and CVE-2013-0637. The fixes are for Flash Player, AIR and AIR SDK.
Here are the new versions:
Android 2.x-3.x, 18.104.22.168
Windows, Mac, & Android, 22.214.171.1247
Adobe AIR SDK
Windows, Mac, & Android, 126.96.36.1999
Google pushed out today it’s channel update for Chrome for Flash Player.
Well it’s Patch Tuesday, or what some people call “Black” Tuesday.
Seven security bulletins were released for Microsoft products, which were about 11-12 vulnerabilities at least being patched. Could be more on some systems.
Current bulletins for this round:
- MS12-077 Cumulative Security Update for Internet Explorer
- MS12-078 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
- MS12-079 Vulnerability in Microsoft Word Could Allow Remote Code Execution
- MS12-080 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution
- MS12-081 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
- MS12-082 Vulnerability in DirectPlay Could Allow Remote Code Execution
- MS12-083 Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass
(Key: Important – Critical)
For the December Adobe Updates…The updates are for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 188.8.131.52 and earlier versions for Linux, Adobe Flash Player 184.108.40.206 and earlier versions for Android 4.x, and Adobe Flash Player 220.127.116.11 and earlier versions for Android 3.x and 2.x, Adobe said.
The three updates fix a buffer overflow vulnerability, integer overflow vulnerability and a memory corruption vulnerability, all three of which could lead to code execution, Adobe also said.
Here’s a small update to yesterday’s Patch Tuesday. Microsoft seemed to have only two critical fixes…
The first patch, MS12-061, applies to Microsoft Visual Studio Team Foundation Server. The other update, MS12-062, fixes a flaw in Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007.
Note to system administrators: Microsoft is urging you to test out the following update: KB2661254, which is an update to help mitigate the risks associated with the Flame malware. It won’t be released until October. But, it is available for testing purposes. It is best ot thicken your SSL certifications.
- September 2012 Patch Tuesday Update (ibm.com)
- Microsoft says “No!” to insecure certificate practices (nakedsecurity.sophos.com)
New releases of update from Adobe come a week after their recent release, which was critical. Having subsequent updates for critical flaws begs the question of whether or not Flash Player is safe. Looks as if AIR was affected, as well. This patching closes six vulnerabilities, helping to safeguard against hackers.
These platforms are affected, and now have a patch available for download:
- Windows (New update: 11.4.402.265)
- Mac (New update: 11.4.402.265)
- Linux (New Update)
- Android (New Update)
The customized Google Chrome version (Pepper) should be automatically update to version 18.104.22.168 for PC and 11.4.402.265 for Mac.
For Windows and Mac users, bear in mind the new Adobe AIR 22.214.171.1240, which you should include with your updates for Flash Player.
For this week’s update, it fixes the following, according to Adobe:
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
- These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
- These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).
The end for support for Adobe Flash Player for Android Systems is coming very soon! See below:
Devices that don’t have the Flash Player provided by the manufacturer typically are uncertified, meaning the manufacturer has not completed the certification testing requirements. In many cases users of uncertified devices have been able to download the Flash Player from the Google Play Store, and in most cases it worked. However, with Android 4.1 this is no longer going to be the case, as we have not continued developing and testing Flash Player for this new version of Android and its available browser options. There will be no certified implementations of Flash Player for Android 4.1.
Beginning August 15th we will use the configuration settings in the Google Play Store to limit continued access to Flash Player updates to only those devices that have Flash Player already installed. Devices that do not have Flash Player already installed are increasingly likely to be incompatible with Flash Player and will no longer be able to install it from the Google Play Store after August 15th.