Adobe product security took another hit recently when reports surfaced of a zero-day attack against a critical vulnerability in the ubiquitous Adobe Reader. Small-scale, targeted attacks have already occurred in the wild. The flaw affects both Reader and Acrobat on all platforms, and lets an attacker install malware on your PC if you open a malicious PDF file using version 9.2 or earlier of either app. By the time you read this, Adobe has devised a patch for the problem, as described in a recent security bulletin.
Opening a tainted EPS file could trigger an attack if you have Illustrator CS4 version 14.0.0, or Illustrator CS3 version 13.0.3 or earlier, on any operating system. Adobe's Illustrator has another critical flaw that remains to be fixed. As with the Reader vulnerability, Adobe hoped to release a fix at around the time we went to press. Adobe did release necessary patches for its Flash Player and AIR programs on all platforms. Look for a patch announcement; and for details, see the relevant bulletin from Adobe.
Among the critical flaws that these fixes corrected was a bug in the way the programs handled JPEG images. Jumbo Update for IE Microsoft's latest batch of patches has a cumulative update for all Internet Explorer versions. Adobe has set up a page on its site where you can check your version of Flash; versions 10.0.32.18 and earlier need updating to version 10.0.42.34. AIR versions 1.5.2 and earlier need to bump up to version 1.5.3. Adobe has also posted a bulletin summarizing the situation. This bundle includes fixes for last month's zero-day flaw affecting IE 6 and 7. The update (MS09-072) is rated critical for IE 5 on Windows 2000, for IE 6 on Windows XP or Server 2003, and for IE 7 on XP and Vista. The update is rated critical for Microsoft Project 2000 SP1, and important for 2002 SP1 (part of Office XP) and 2003 SP3. Office 2007 is not affected. It's also required for IE 8 on XP, Vista, and Windows 7; but it's rated only moderate for IE 7 and 8 on Server 2003 and Server 2008. Next up for Microsoft is MS09-074, a fix for an Office Project flaw that a malicious Project file could trigger.
Additional Microsoft Fixes The final critical Microsoft fix, MS09-071, affects only Windows Server 2008. But you should also pick up a number of less-crucial patches. Another update (MS09-069) prevents a specially created Internet Security Association and Key Management Protocol message from crashing Windows 2000, XP, or Server 2003. To obtain all of the new patches, fire up Windows Update; for an overview of the whole batch, see Microsoft's security bulletin summary. One of them (MS09-073) fixes a bug in WordPad and in Office Text Converters that a maliciously crafted Word 97 file could exploit. Media Fixes for Firefox Firefox users can wrap up their monthly patches by making sure the browser is updated to version 3.5.6, or to 3.0.16 if you haven't yet upgraded. The 3.5.6 update shores up two other critical security holes: one in the libtheora video library that could be hit with a malicious video file, and the other in the liboggplay media library. Both updates fix various crash bugs that might allow an intruder to install malware and run attack commands.
Choose Help, Check for Updates to make sure you have the latest version.
0 comments:
Post a Comment