Security researchers from around the world apparently turned their attention to Adobe’s Acrobat and Acrobat Reader recently, and their efforts revealed a big pile of new vulnerabilities. Adobe responded yesterday, releasing new versions of its Acrobat-related products that address eighty-six of those vulnerabilities.
Although Acrobat and Reader exist in several different forms, the one most people actually use these days is Adobe Acrobat Reader DC (Continuous), and the latest version of that variant is 2019.008.20071.
If you use any paid version of Acrobat, or any of its free Reader variants, you should update it as soon as possible. This is particularly important if you open PDF files with uncertain provenance on the web or received in email. If you use Reader as a browser plug-in or extension, you should drop everything and update immediately.
Recent versions of Acrobat and Reader include an automatic update system, so your install may already be up to date. The easiest way to find out is to run it, then navigate its menu to
Check for Updates... If an update is available, you’ll be able to install it from there.
Adobe usually releases security updates for its software on Patch Tuesday, but they apparently decided that the seven vulnerabilities addressed in Acrobat Reader DC 2018.011.20063 shouldn’t be delayed.
The release annoucement for Adobe Reader 2018.011.20063 provides some details about the vulnerabilities. One of them, CVE-2018-12848, can lead to Arbitrary Code Execution, and is flagged as Critical.
It’s important to keep Acrobat Reader DC up to date, because it’s still being used to deliver malware, embedded in PDF documents. It’s especially important if you’ve enabled Reader in your web browser.
If you use Acrobat Reader DC, you can check whether it’s up to date by navigating its menu to
About Adobe Acrobat Reader DC. There’s also a
Check for Updates function in the
Help menu. On my Windows 8.1 computer, a Windows Task Scheduler task (added by Adobe) updated the software within a few hours of the new version’s release.
Analysis of Microsoft’s Security Update Guide shows that this month’s updates address sixty-two security vulnerabilities, ranging from Low to Critical in severity, in the usual suspects, namely Edge, .NET, Internet Explorer, Office, and Windows. There are forty-five updates in all.
If you’re looking for a new way to evaluate Microsoft’s monthly patch offerings, I recommend Microsoft Patch Tuesday by security firm Morpheus Labs. It’s a lot less oppressive — and easier to use — than Microsoft’s Security Update Guide.
Adobe’s providing us with a new version of Flash this month. Flash version 18.104.22.168 fixes a single security vulnerability. As usual, the Flash code embedded in Chrome and Microsoft browsers will update itself through Google’s automatic update process and Windows Update, respectively.
It’s update time again.
Analysis of Microsoft’s Security Update Guide shows that this month there are seventy updates for Windows, Office, Internet Explorer, .NET, Edge, Excel, Outlook, PowerPoint, and Visual Studio. A total of sixty security bugs are addressed, twenty of which are categorized as Critical.
Adobe, meanhwile, has released new versions of Flash and Acrobat Reader. Flash 22.214.171.124 includes fixes for five security issues, all of which are ranked as Important. Acrobat Reader 2018.011.20058 addresses two Critical security vulnerabilities.
Remember, folks: although updating software is perhaps not the most exciting thing you’ll do today, it’s entirely worthwhile, as it limits the damage that can be done by any stray malware that may find itself on your computer… from that attachment you opened without thinking, or that web site you visited when you accidentally clicked that link.
Adobe and Microsoft have issued their monthly updates for July, so even if you’d rather be doing anything else, you should be patching your computers.
We’ll start with Microsoft. As usual, this month’s Security Update Release bulletin serves as little more than a link to the Security Update Guide (SUG), Microsoft’s labyrinthine replacement for the individual bulletins we used to get.
In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small
Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.
Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.
Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.
As for Adobe, there are updates for Flash (version 126.96.36.199) and Acrobat Reader DC (version 2018.011.20055). The Flash update fixes two vulnerabilities, one of which is Critical. The Acrobat Reader DC update includes fixes for over one hundred security bugs.
On June 7, Adobe released a new version of Flash, which addresses four vulnerabilities in earlier versions. One of those vulnerabilities is being exploited right now, mostly by way of Office documents attached to email.
The security bulletin for Flash 188.8.131.52 provides additional details.
If you’re using Flash, and in particular if you use a web browser in which Flash is enabled, you should update Flash as soon as possible. On Windows systems, you can do that by going to the Windows Control Panel, then clicking the Flash component. In the Flash Player Settings Manager, go to the
Updates tab and click
Check Now. That will take you to the official About Flash page, where you can check whether Flash is currently installed, see which version is installed, and download the latest version. Depending on your browser configuration, you may have to click the small gray rectangle to the right of the introductory text, then confirm that you want to allow Flash content to play.
As usual, browsers with embedded Flash (Edge, Chrome, Internet Explorer) will get the new version via their own update mechanisms.
Forty-seven security vulnerabilities in Acrobat Reader — many of them flagged as Critical — prompted Adobe to release a fixed version on May 14.
Acrobat Reader comes in a few different flavours, but the one targeted at regular users is Acrobat Reader DC, which is also sometimes refererred to as Acrobat Reader DC (Continuous Track). See the post Adobe Acrobat Reader updates from 2018Feb16 for more information about Acrobat/Reader variants.
Acrobat Reader DC version 2018.011.20040 contains fixes for all forty-seven vulnerabilities documented on the associated security bulletin.
You can install the latest Reader by visiting the Get Acrobat Reader page on Adobe’s web site. Don’t forget to disable any checkboxes for installing optional software. When I installed Acrobat Reader DC 2018.011.20040 from that page earlier, there were three such options, all enabled by default:
- Install the Acrobat Reader Chrome Extension
- … install the free McAfee Security Scan Plus utility …
- … install McAfee Safe Connect …
Unless you know for sure you want to use those products, it’s best to avoid them.
Spring has sprung, and with it, a load of updates from Microsoft and Adobe.
This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.
The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.
Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.
As you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 184.108.40.206 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.
You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.
Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.
Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.
If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.
Adobe’s offering for this month’s patching fun is a new version of Flash Player: 220.127.116.11 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.
If you’re using a web browser with Flash enabled, you should install Flash 18.104.22.168 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.
A new version of Flash, released on March 13 by Adobe, fixes two security vulnerabilities as well as a few other bugs.
If you use a browser with Flash enabled, you should update it as soon as possible. Most browsers no longer play Flash content automatically, or at least have options to make Flash content play only when explicitly allowed. Still, it’s best to be up to date if you use Flash at all.
Internet Explorer and Edge will get their Flash updates via Windows Update, and Google Chrome will update itself on its own mysterious schedule. You can force the issue by visiting the main Flash download page, or the About Flash page, which will prompt you to update if you’re not running the latest version. Don’t forget to disable installation of any additional software, including McAfee security products.
You can find more details in the release announcement, release notes, and the associated security bulletin.