Yesterday was the second Tuesday of the month, and by now you should know just what that means… another set of security updates for Microsoft products. This week also sees us with some other notable updates to some Adobe products, and you’ll want to take note of these as well.
Remember that security updates are a fact of life these days. It isn’t an indication that the software manufacturers are creating shoddy product; rather, it is a sign that they are discovering flaws and repairing them in an effort to stay ahead of the malicious communities out there in the wild and untamed internet world. Security is an ongoing process these days.
We’ll start with Adobe this time.
Adobe Flash Player
Adobe has indicated that critical vulnerabilities have been discovered with Flash Player and Adobe AIR. These flaws could cause the application to crash, and an application that crashes can lead to weakness that can be exploited – in this case, potentially allowing a hacker to take over your system.
Adobe recommends all users of Flash Player version 10.0.32.18 and lower to upgrade to version 10.0.42.34. Users of Firefox will have this pushed to them automatically, users of IE will have to go and get it manually. Either way, make sure you get the update!
Also, users of Adobe AIR version 1.5.2 and lower should upgrade to version 1.5.3.
Adobe Illustrator CS3 and CS4
It isn’t often that a program like Illustrator is impacted by a security threat, but in this case Adobe has found that a flaw in the handling of EPS files can result in an attacker being able to run code on your system, gaining control of your computer. There is no fix available at this time! Adobe has plans to release an update on January 8, 2010.
Until an update is released, the best risk mitigation is to avoid opening any EPS file from an unknown source.
Microsoft has released six new security updates for the month of December, covering a variety of products. Additionally they’ve released a couple of security advisories, as well as their usual updates to their Outlook junk email filter, and their Malicious Software Removal Tool.
The security updates are as follows:
- MS09-069 – addresses a vulnerability in Windows (KB 974392). In this case a weakness in the LSASS service could facilitate a denial of service attack. This is considered an important update and affects Windows 2000, XP, and Server 2003.
- MS09-070 – addresses two vulnerabilities in Windows (KB 971726). An attacker can gain control of a system by taking advantage of a flaw in Windows Active Directory Federation Services. This update is rated Important and impacts Windows Server 2003 and Server 2008, both 32 bit and x64 versions.
- MS09-071 – addresses two vulnerabilities in Windows (KB 974318). A vulnerability in the Internet Authentication Service could allow an attacker to gain control over a server. This update is Critical for Windows Server 2008, 32 bit and x64 versions. This update is also rated Moderate or Important for many other Windows versions, including Windows 2000, XP, Vista, and Server 2003.
- MS09-072 – addresses four vulnerabilities in Internet Explorer (KB 976325). The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This update is Critical for IE 5 and 6, Critical or Moderate for IE 7 depending on the system, and Moderate for IE 8.
- MS09-073 – addresses a vulnerability in Windows (KB 975539). In this case, the text converter in Microsoft WordPad and Microsoft Office Word has a flaw that can allow remote code execution and result in an attacker gaining control of the computer. This is rated Important for Windows 2000, XP, and Server 2003. It is also rated Important for Office Word 2002, 2003, Office Converter Pack, and Works 8.5.
- MS09-074 – addresses a vulnerability in Microsoft Office Project (KB 967183). This could allow remote code execution and system takeover if a user opens a maliciously crafted Project file. This is rated Critical for Project 2000, and Important for Project 2002 SP1 and 2003 SP3.
Additional updates beyond the core six security updates:
- Microsoft Security Advisory (954157) Security Enhancements for the Indeo Codec
- Microsoft Security Advisory (973811) Extended Protection for Authentication
- Office InfoPath 2007 Update (details)
- Office Outlook Junk E-Mail filter (details)
- Microsoft Malicious Software Removal Tool (details)
Keep those systems up to date, and stay ahead of the bad guys!