Keeping your software up to date is really important these days. There is big money in organized crime, seeking to compromise computers and gain access to your personal information – especially banking information. These malicious entities seek to gain a foothold in your computer by exploiting known vulnerabilities in popular software. As a result, something as benign as visiting a web site, opening an image, or playing a music file can lead to a compromised system, if your software has un-patched vulnerabilities.

So, keep that software up to date!

We’ll start this week with a bit of good news on the OS front, for those Apple customers who have migrated to the latest version of their OS.

Apple Mac OS X 10.6.2 (Snow Leopard) Updates:

Apple has released a Snow Leopard update that fixes a number of problems customers have reported, including patching a large number of security flaws in the firewall, Apache services, Apple Type Services (font handling), graphics and media services; the list goes on and on. You can read about it here.

Perhaps more exciting for users of Adobe Photoshop: John Nack has reported that the Photoshop team has been working with Apple, and this updated fixes a number of issues with Photoshop:

Affecting multiple versions of Photoshop:

• 50654: When opening and saving, applications–including Adobe applications–may sporadically crash
• 51230: Images don’t open when dragged onto the Adobe program icon in the Dock

• 51220: Crash or program error occurs when using Menlo font in Photoshop and Premiere CS3 and CS4

CS4-specific:

• 51764: Only one image opens when many are dragged onto Photoshop’s icon
• 51278: Cursors don’t display correctly in Photoshop CS4
• 51339: Editing in Photoshop CS4 fails from 64-bit Lightroom in Mac OS X 10.6
• Cannot drag from Safari onto Photoshop icon (and other application icons) in Dock to open file

Whether you get this update for security or for the Photoshop fixes, get it!

Browser Updates:

Opera – version 10.1 was released at the end of October, and this update combined a series of user experience features with a few security updates that I would consider critical. From the Opera changelog page:

These are all flaws that could result in a malicious user or site compromising your system. The last one listed seems especially concerning, sinc edetails aren’t being released. If you’re using Opera, make sure to install this update as soon as possible.

Firefox – Although version 3.5.4 was only recently released, the team at Mozilla.com has pushed out a new verison 3.5.5. This update contains several stability fixes, and in looking at the bug reports, the issues address browser crashes – typically the first place that hackers look for opportunities to gain access into your system. Firefox has pushed out this change, so you should see it automatically; if not, please visit www.mozilla.com and get the update.

Note also that for users who are still using the 3.0 version of Firefox, this has also been updated from 3.0.14 to 3.0.15 as of the end of October.

Java Updates:

Java 6 Update 17 was released on 11/4/2009. This release contains fixes for 23 security vulnerabilities. If you have the Java virtual machine installed on your system, this update is highly recommended.

Adobe Software Updates:

Photoshop Elements for Windows, version 7 and version 8, have a potential privilege escalation problem. This means that a user could gain administrator privileges by exploiting this vulnerability. Adobe has not patched the software yet, but they have provided a workaround to mitigate the risk.

Shockwave Player 11.5.1.601 and earlier have critical vulnerabilities that could allow a malicious attacker to run arbitrary code on your system. Chances are you’re not using Shockwave anymore (it is generally superseded by Flash), but if you do have it, please upgrade to the latest version 11.5.2.602.

That’s all for this week! Keep your software up to date, and keep safe!

Let’s start with the Microsoft Windows updates.

As they are wont to do, Microsoft released their monthly update on the second Tuesday of October, and this month there were a massive number of patches for Windows, Office and related Microsoft applications. The canonical list, with links to tech bulletins, can be found at the Microsoft Security October 2009 Update page.

October’s updates include a total of 13 separate security updates, two of which are the standard monthly updates for Outlook Junk Email filter, and the Windows Malicious Software Removal Tool (mrt.exe). But the other 11 updates include patches for no less than 29 critical vulnerabilities, spanning a gamut of OS-related modules:

• Active Template Library (ATL) vulnerabilities (4 patches)
• Internet Explorer (4 patches)
• Silverlight and .NET framework (3 patches)
• GDI+ (the OS Graphics engine) (8 patches)
• Windows Media Player and Runtime (3 patches)
• Windows Kernel (3 patches)
• Indexing Service (1 patch)
• Windows Crypto API (2 patches)
• Windows LSASS service (1 patch)

The moral of the story here – make sure you have automatic updates turned ON. More than a few of these vulnerabilities are already being exploited in the wild, and the release of patches is a signal to malicious entities to begin trying to exploit un-patched machines.

Apple releases iPhone OS 3.1.2

The update for the iPhone OS contains several fixes for issues that have been plaguing iPhone users, including:

• A sporadic issue that may cause iPhone to not wake from sleep
• Resolution to an intermittent issue that may interrupt cellular network services until restart
• Bug fix to remedy crashes during video streaming

This update applies to all versions of the iPhone, and is available through iTunes, so synch those devices and get your update!

Adobe releases security updates for Acrobat and Reader

Acrobat and Reader have been updated as follows:

• Windows and Mac from 9.1.3 to 9.2
• Legacy Windows and Mac, from 8.1.6 to 8.1.7
• Linux version, from 7.1.3 to 7.1.4

From Adobe’s security page:

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update.

It seems Apple moved quickly to release an update to Mac OS X 10.6.1 – primarily, it would seem, to upgrade the Flash Player plug-in to the current 10.0.32.18. You may recall from last week’s security topic, that Apple’s initial release of Snow Leopard included an older version of Flash Player that was vulnerable to malicious attacks. Apple moved quickly to fix this, but with that response time, you have to wonder if this wasn’t an oversight as they were rushing to get Snow Leopard shipped. If you’ve made the move to Snow Leopard, make sure you get the update!

Apple had a busy week last week, however; with a flurry of releases.

It started with hosting a huge music event and showing a new line of iPods, introduced by none other than Steve Jobs himself. Of course, to go along with the new hardware, Apple also released iTunes 9 and QuickTime 7.6.4. I mention this as part of our security update, because this version of QuickTime… you guessed it… patches some vulnerabilities in which a maliciously crafted video could lead to a crash and ultimately execution of arbitrary code. Again, make sure you get this update!

Apple didn’t stop there, however. They have released iPhone OS 3.1 and OS 3.1.1 for iPod Touch, both available using the iTunes updater. These updates address several security concerns as well:

• Playing a maliciously crafted MP3 or AAC file could result in crashes and arbitrary code execution.
• Deleted mail may still be visible using Spotlight Search, as we reported last month.
• Several vulnerabilities related to web browsing that could result in security or privacy issues.

Apple has certainly done well in providing these updates, but in my opinion has done the user community an even greater service in their increased level of disclosure of the problems and their solutions. My hat is off to Apple for stepping up their level of communications, a very important part of strategy in security management!

Note that this update does NOT apply to Snow Leopard, OS X 10.5.6.

This release updates Java SE 6 to version 1.6.0_15 (for 64-bit Intel Macs only), J2SE 5.0 to version 1.5.0_20 (all Intel and PPC Macs), and J2SE 1.4.2 to 1.4.2_22 (all Intel and PPC Macs). The updates catch up with Java fixes released by Sun in August, but apparently there are still a few pending vulnerabilities that have yet to be incorporated into the Leopard packages.

Make sure you update as soon as possible, as there are active exploits in the wild for some of these flaws!