Adobe has just released a new version of their Adobe Shockwave Player. Adobe Shockwave Player 11.5.8.612 addresses 20 vulnerabilities and is rated Critical.
Adobe Shockwave 11.5.7.609 versions and earlier should be patched as soon as possible. More information regarding this patch can be found on Adobe Security Bulletin APSB10-20.
- Jason
We noticed Adobe released new versions of their Flash Player for version 9 and 10 today. The previous version of Flash was 10.1.53.64 and 9.0.277.0. Two new versions are available on their website today: 9.0.280.0 and 10.1.82.76. As of now, there are no bulletin pages available from Adobe. The only known planned release for Adobe is for Reader as it was announced last week. This update is scheduled for the week of August 16th.
We will keep monitoring Adobe to see if this release was a security release or a maintenance release.
**UPDATE**
Adobe just updated their bulletin page by releasing the following security bulletins:
- Jason Miller
Microsoft has released their planned 14 bulletins fixing 34 vulnerabilities today. There are 4 bulletins that administrators should look at patching as soon as possible.
MS10-052 and MS10-055 both affect media files and are rated as Critical. Opening a malicious media file can lead to remote code execution. Downloading and playing media files is becoming more prevalent today as social interaction is moving to video. This makes these vulnerabilities prime targets for attacks.
MS10-056 affects Microsoft Word and is rated as Critical. Opening a malicious document can lead to remote code execution. In addition to Microsoft Word, Microsoft Outlook 2007 can also play a part in exploitation. In Outlook 2007, simply opening an email with a malicious attachment can lead to remote code execution. This version of Outlook can be affected by viewing the document in the reading pane as Outlook 2007 uses Microsoft Word as the default email reader. RTF documents are extremely common and are typically not blocked by companies as attachments. We can expect malicious RTF documents in users email boxes in the coming weeks.
MS10-060 affects Silverlight. This patch fixes a vulnerability that can lead to remote code execution. Microsoft has patched Silverlight in the past, but this patch is more critical than past patches. An attacker only needs to entice a user to visit a malicious website in order to deliver a payload. The Silverlight install is amazingly easy, so you can assume that a lot of your computers currently have this program installed. I have not heard of any Silverlight exploits, but I expect to see more with the release of this patch.
There are a couple of other bulletins this month that also require extra attention.
MS10-054 affects the SMB service on Microsoft Windows. Normally, alarms would be going off for security researchers as typical SMB vulnerabilities can lead to worm based attacks. With this vulnerability though, there are some factors that will make it a lower risk. In newer versions of the Microsoft operating system (Windows 2003 and newer) require the attacker to be authenticated. This instantly lowers the risk of a worm as most attacks need to be unauthenticated. In older operating systems (Windows XP), the attack can be unauthenticated. The vulnerability itself would be very difficult to exploit as the attacker cannot control the outcome of the exploit on the machine. The most likely result will be a denial of service attack as the system will become unresponsive and reboot.
MS10-047 affects the Windows Kernel. Although this bulletin has a lower severity rating, it is imperative to test this patch before deploying to your computers. Patching the Windows Kernel can at times leave the system completely unusable. We’ve seen this with machines infected by rootkits in the past. Microsoft has taken steps since that time to ensure the Kernel will not be adversely affected by the patch, but you should still apply this patch to a set of test systems before deploying.
MS10-046 was released out-of-band on August 2nd. Some organizations were waiting to deploy this patch until the regularly scheduled patch day. This bulletin should be addressed right away as well as there are currently exploits for the vulnerability. If you have applied the workaround for the vulnerability, it is important to remember to unapply the workaround. Users will be happy to see their icons on their desktops and start menus return to normal.
This large patch month will affect all of your systems, workstations or desktops. This many patches can increase network bandwidth, increase the time for the system to run each patch and require reboots. Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack.
- Jason Miller
Sun (Oracle) has released a new version of Sun Java 6. Sun Java 6 update 21 has been available for a while on the developer network. This update is now being prompted by the auto update feature in Java as well as the consumer Java download page. This release does not contain any security related fixes.
- Jason Miller
Microsoft just announced their August 2010 patch day advanced notification. They are planning on releasing a mammoth amount of security bulletins. The 14 planned bulletins will address 34 vulnerabilities. The amount of bulletins in one release is the largest ever for Microsoft. The previous high was 13 released last February. The 34 vulnerabilities addressed match the all time high set in June of this year.
August Patch Tuesday Overview
- Jason Miller
Microsoft has just released an out-of-band security bulletin as announced last Friday. This bulletin addresses one zero day vulnerability that is currently being exploited in the wild. The MSRC found a new, particularly nasty, virus exploiting the vulnerability. Sality.AT has seen an uptick in infections in the past few days. MS10-046 affects all supported operating systems. If you have applied the workarounds suggested by Microsoft, you should remove them as soon as your systems are patched. I am sure people will enjoy having their icon images back on their Start Menu and Desktop.
Microsoft releasing a security bulletin out-of-band is not uncommon. The most surprising aspect of this release is how close we are to the regularly scheduled patch Tuesday. In previous out-of-band releases, you can see the timing is typically in-between patch Tuesdays.
With a release this close to Patch Tuesday, it is safe to assume you should patch this security bulletin immediately.
While patching MS10-046, you should take a look at patching your Apple Safari browser installations. Apple released a security update last Thursday addressing 15 vulnerabilities.
- Jason Miller
There were quite a few critical patches released this week. Some of these, such as Firefox, were expected. Mozilla just released an updated version for the Firefox browser. This is the second critical Firefox release just this week.
- Jason Miller
Microsoft has released 4 new security bulletins in the July 2010
edition of patch Tuesday. These bulletins address 5 vulnerabilities.
It is not uncommon, and has become expected, for a light patch Tuesday
to follow a heavy patch Tuesday release from Microsoft. Last month,
Microsoft released a hefty load of patches with 10 security bulletins
addressing 34 vulnerabilities.
The security bulletin that administrators should address first on their
machines is MS10-042. This security bulletin addresses a currently
exploited vulnerability in the wild affecting the Windows Help system.
Earlier this month, this vulnerability and exploit code was released
by a security researcher prompting Microsoft to release Security
Advisory 2219475. For any zero day exploit, administrators should
deploy the patch as soon as possible.
A second Security Advisory, 2028859, is being closed out with the
release of Security Bulletin MS10-043. There are no current exploits
being reported from Microsoft against this vulnerability although the
vulnerability was publically disclosed. The last two bulletins affect
Microsoft Office programs and each can lead to remote code execution
on an affected machine.
This may seem like a light patch month in the amount of effort
required by administrators to protect their networks, but all
administrators could have quite a work load as Windows 2000 and
Windows XP SP2 have officially reached end of life support. These
operating systems will no longer be supported after today’s patch
Tuesday. Microsoft will not be supplying new Security Bulletins for
these operating systems going forward. It is important for
administrators to use this light patch month to identify these systems
on their network and upgrade the machines to a supported operating
system or service pack level. Unlike patching, deploying new
operating systems or service packs can be quite an undertaking as it
requires plenty of time and effort.
- Jason Miller
As they had announced earlier this month, Adobe has released critical security patches for the Adobe Reader and Acrobat products as described in security bulletin APDB10-15. Most of the focus with this patch release will be on the actively exploited vulnerability CVE-2010-1297. This vulnerability affects Adobe Reader and Acrobat versions 9.3.2 and earlier. Adobe Reader and Acrobat 8.x are not affected by this vulnerability. It is important to note that this patch contains 17 total vulnerability fixes, so Adobe Reader 8.x will be affected by this patch release for the remaining vulnerabilities. The actively exploited vulnerability also exists in Adobe Flash. Adobe patched the Flash program in early June, so you should address this program as well as Adobe Reader.
Adobe has released this patch earlier than their regularly security update schedule. They are not planning on releasing additional security updates during the July 2010 patch day.
Since this is already turning into a mini patch day for you, here are some other releases since last week you should address:
Opera 10.54
Security release fixing 2 issues:
Cross-stie scripting issue detailed here.
Windows Font issue detailed here.
SeaMonkey 2.0.5
This update addresses:
More information regarding this release can be found here.
Firefox 3.6.6
This update is a maintenance release that addresses an issue introduced in 3.6.4 where applications, such as Farmville, could hang the browser. Note: Mozilla did not release a browser version 3.6.5. More information can be found here.
Firefox 3.6.4
This update addresses:
More information regarding this release can be found here.
Firefox 3.5.10
This update addresses:
More information regarding this release can be found here.
Thunderbird 3.0.5
This update addresses:
More information regarding this release can be found here.
Thunderbird 3.1
This update is a maintenance release. More information can be found here.
- Jason Miller
Adobe released new versions of Flash 9 and 10 today as expected. Flash 10.1.53.64 and 9.0.277.0 addresses one critical security vulnerability as described in Adobe Security Advisory APSA10-01. You will want to look at patching these as soon as possible as this vulnerability is being actively exploited in the wild.
Adobe Reader and Acrobat are scheduled to be released later this month (June 29).
**Note: The Adobe download page and security advisory still have not been updated. The download for Adobe Flash will download the latest. Stay tuned to the advisory page for details on the security bulletin.
- Jason Miller
