Last week, Adobe released security fixes for its Shockwave and Flash media players. Additionally, Microsoft released seven patch bundles that address at least 34 different vulnerabilities found in Microsoft Windows and other software. However, at least one of the Windows’ flaws is currently being exploited.
Six of the seven Microsoft patches that were released yesterday earned the company’s most dire “critical” rating; these patches plug security holes that could otherwise be exploited by malware without the user’s knowledge.
Microsoft and security experts have both placed MS13-053 in the spotlight because it fixes at least eight flaws in the implementation of Window’s TrueType fonts. The vulnerabilities found within TrueType exist on nearly every supported version of Windows, including XP, Vista, Windows 7 and 8; and can easily be exploited, in order to gain complete control over a vulnerable Windows system when the user visits a webpage containing malicious TrueType content.
Furthermore, Microsoft says one component of this specific vulnerability, CVE-2013-3660, has already been exploited. Ross Barrett, Senior Manager of Security Engineering at Rapid7 said that this is the first time Microsoft has addressed a single TrueType vulnerability in three separate advisories (MS13-052, MS13-053, and MS13-054).
“By splitting this out, Microsoft is directly addressing a complaint about previous ‘rolled up’ advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed,” Barrett explained.
Another important part of yesterday’s patches is the Internet Explorer update, MS13-055, which was rated “critical “for all versions of Internet Explorer, and addresses 17 different vulnerabilities. For a complete breakdown of yesterdays’ released updates, take a look at this summary page, which includes links to each individual patch.
Also, Microsoft announced a policy change regarding the security of applications for sale or downloaded within the Microsoft marketplace. All applications that had security issues will be removed from the marketplace store unless they’re patched within 180 days of Microsoft’s confirmation of the problem.
If you’re interested in reading more about the policy change, check out Microsoft’s Technet Blog.
Adobe Flash & Shockwave
At least three critical bugs have been fixed by Adobe’s Flash Player update; the updates are available for Mac, Windows, Linux, and Android versions of Flash. This update brings Flash Player to version 11.8.800.94 on Mac and Windows systems. If you’d like to find out which version of Flash you currently have installed, visit this page.
As for Internet Explorer with built-in Flash Player, it will be automatically updated. Chrome will automatically be updated as well, but the latest patched version of Flash on Chrome is 11.8.800.97, and many versions of Chrome don’t appear to have updated to the latest version yet.
The most recent versions of Flash can be found at the Adobe download center, but be careful of potentially unwanted add-ons such as McAfee Security Scan. Uncheck the pre-checked box before you download, in order to avoid unwanted add-ons from being installed as well.
The patch will need to be applied twice for Windows users who browse the Web with anything other than Internet Explorer—once with Internet Explorer, and again using your alternative browser (Firefox, Opera, etc.). A new version of Adobe’s Shockwave Player software has also been released; it fixes at least one critical flaw. It also brings Shockwave to v. 18.104.22.168 on Mac and Windows systems. Shockwave updates are available at: http://get.adobe.com/shockwave/
However, Shockwave, like Java, is one of those powerful, often very buggy software programs that many people install, but don’t actually require for browsing the Web. To secure your system, you must lock things down and remove any unnecessary programs. Consider whether you need Shockwave or not.
Those who use Firefox should note that the presence of the Shockwave Flash plugin in the Firefox Add-ons section indicates an installation of the Adobe Flash Player plugin, instead of Adobe Shockwave. Normally, when Adobe pushes out Flash updates, they release updates for AIR; but yesterday’s updates were an exception.
According to the company, they aren’t aware of any active attacks or exploits that take advantage of the vulnerabilities that were fixed in yesterday’s Flash and Shockwave releases.
Have questions about your IT security? Contact us today and ask about our network security audit and technology review services.