Microsoft, Adobe, Apple Fix Critical Security Vulnerabilities
A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday. Critical patches for Adobe Systems software keep coming. This time, they fix serious security bugs in the company’s Shockwave Player. Apple has also released a major security update designed to fix security bugs, some of which present a critical security risk on unpatched systems.
Microsoft update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.
Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.
Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.
For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday’s patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.
Adobe is strongly urging users to upgrade. Unlike the vast majority of patches, the Shockwave fix requires users manually uninstall the out-of-date version, reboot their systems, and then install the latest version. For an application with more than 450 million installations, that’s downright primitive.
More importantly, making it inconvenient for users to upgrade is a guarantee that a sizable portion of them will remain vulnerable. Adobe has recently unveiled an automatic updater for its Reader application. It’s about time the software maker made seamless updating for Flash and Shockwave standard too. The critical patch, assuming it’s installed, will update Shockwave to version 11.5.6.606.
Patches released by Apple on Tuesday address a malware injection risk in the CoreAudio media player, Flash Player plug-in bugs and a similarly critical vulnerability involving Image Raw. The update also tackles a recently discovered OpenSSL renegotiation exploit. Security fixes for CUPS and Image IO make up the remainder of the patch batch.
Most of these updates are connected with third party software. For example, seven of the twelve CVEs are connected with the update for Adobe’s flash player plug-in. The remainder of the bugs are the usual file format parsing problems that we’ve seen a lot of in the past.
Apple advisory can be found at http://support.apple.com/kb/HT4004.
Credit: The Register
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.