New versions of Adobe’s PDF document reading software were made available on September 16. Acrobat 11.0.0.9 and Reader 11.0.0.9 include fixes for at least six security vulnerabilities.
Anyone who uses Adobe Reader/Acrobat to view PDF files with dubious origins should install the updates as soon as possible.
This month’s crop of updates from Microsoft includes four security bulletins, addressing 42 CVEs in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. The update for Internet Explorer is Critical, and should be installed ASAP.
From Adobe, we get another new version of Flash, 15.0.0.152. The new version addresses memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0557), a security bypass vulnerability (CVE-2014-0554), a use-after-free vulnerability that could lead to code execution (CVE-2014-0553), memory corruption vulnerabilities that could lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555), a vulnerability that could be used to bypass the same origin policy (CVE-2014-0548), and a heap buffer overflow vulnerability that could lead to code execution (CVE-2014-0556, CVE-2014-0559). Anyone still using Flash, especially within a web browser, should update immediately.
Google Chrome and Internet Explorer on Windows 8.x will be updated automatically to include the new version of Flash.
Microsoft and Adobe plan to release software updates on September 9.
There will be four bulletins from Microsoft, affecting Windows, Internet Explorer, and .NET. One of the updates is rated Critical.
There’s not much detail on the upcoming Adobe updates, but they will affect Reader/Acrobat.
Adobe’s monthly updates continue to coincide with Microsoft’s. This month there are updates for Adobe Acrobat/Reader and Flash.
The new version of Flash is 14.0.0.176, unless you’re using Flash in a browser other than Internet Explorer, in which case it’s 14.0.0.179. Regardless, the new version includes several bug and security fixes, and adds some new features that are mainly of interest to developers.
The latest version of Adobe Reader is 11.0.0.8. This version fixes a specific vulnerability that allows attackers to circumvent security protections. According to Adobe, attacks based on this vulnerability have been seen in the wild.
Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.
The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.
Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.
The best resource for keeping track of Shockwave versions that I’ve found so far is FileHippo’s Shockwave version history.
These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.
The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.
As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.
Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.
The latest version of Adobe Shockwave Player is 12.1.2.152.
Unfortunately, the release notes for Shockwave on the Adobe site haven’t been updated since 2007, so it’s difficult to know for sure what’s different about this version. However, given Adobe’s reputation, it’s safe to assume that running an older version of Shockwave will make your computer less secure.
Then again, since Shockwave apparently includes an old, unsecure version of Flash, you might want to consider removing Shockwave from your computer completely, unless you absolutely require it. Another alternative is to configure your browser to prompt for activation whenever Shockwave media is encountered. See the instructions for doing this in Firefox elsewhere on this site.
Another new version of Flash was released today. Version 14.0.0.125 closes six security vulnerabilities found in previous versions.
If Flash is enabled in your web browser, you should update it as soon as possible.
As usual, the embedded Flash in Internet Explorer on Windows 8.x is updated via Windows Update, while the embedded Flash in Chrome will update itself automatically.
Another increasingly popular target for malicious hackers is Adobe Shockwave. But what is Shockwave, and how does it related to Adobe Flash?
Like Flash, Shockwave is a media platform, and Shockwave media is most commonly found on the web. The two platforms do many of the same things, but the software for creating Shockwave media is both more powerful and more expensive. Flash media is much more common.
In any case, since Shockwave is a target, and since the Shockwave player is commonly installed on the computers of regular users (usually in the form of a browser plugin), I’m adding it to the Software Versions page on this web site.
Update 2014May22: Now comes word that Shockwave contains a version of the Flash player that is over a year out of date. None of the security updates and features added to Flash in the past fifteen months are present in Shockwave’s bundled Flash. Because of this, we recommend disabling Shockwave in your web browser immediately.
Adobe has settled into a routine of publishing updates for its software on the second Tuesday on each month, in line with Microsoft’s practices. Today Adobe announced updates for Flash and Reader/Acrobat.
Both the Flash bulletin and the Reader/Acrobat bulletin are a bit light on details, saying only that the updates address critical vulnerabilities in the software.
The release notes for the new version (13.0.0.214) of Flash go into more details, although most of the information is about new features.
As usual, Google Chrome and Internet Explorer on Windows 8.x will be updated automatically and via Windows Update, respectively.
boot13