Category Archives: Patches and updates

Patch Tuesday for October 2013

Patches from Microsoft and Adobe were announced today, along with a new version of Flash.

Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.

The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.

Two bulletins from Adobe fix security vulnerabilities in Adobe Reader/Acrobat and Robohelp.

Flash 11.9.900.117 includes a long list of bug fixes. Chrome will be updated silently to match the new version of Flash. An update for Internet Explorer 10 on Windows 8 is also on the way.

Opera 17 released

Development continues on the new Webkit-based version of the Opera web browser. Version 17 was announced today. This version adds pinned tabs, startup options and custom search engine support.

Purists can still download the classic version 12.x Opera. It remains to be seen how many of the features lost in the transition from the Presto-based browser will be added to the Webkit-based browser. So far there’s plenty missing, including bookmarks, the sidebar and proper tab control.

Advance patch notifications from Microsoft and Adobe

Next Tuesday, October 8, will see patches from Microsoft (for Internet Explorer, Windows, .NET, Office and Silverlight) and Adobe (for Reader/Acrobat).

Included in the patches from Microsoft will be a fix for the recently-discovered security flaw affecting all versions of Internet Explorer.

Additional details:

Another bug fix for ActiveX version of Flash

Adobe released new versions of Flash for all platforms on September 10. A few days later, they released a new ActiveX version (11.8.800.174) to fix some bugs that were discovered in the previous release.

Today, Adobe released yet another ActiveX version of Flash to fix one more bug. The new version (11.8.800.175) is now available, but only via the Flash auto-updater.

For some unknown reason, Adobe has not posted the new version to the main download page, so anyone trying to update Flash in Internet Explorer by visiting this page will have no luck. According to Adobe, they hope to have version 11.8.800.175 available on the main download page on September 24.

Microsoft updates declining in quality?

Given that the vast majority of Windows systems are configured to download and install updates automatically, it’s critical for Microsoft to ensure the quality of those updates. One seriously bad update could cripple millions of Windows computers.

Issues with several of the September 2013 updates, along with similar problems in recent months, are causing concern in the industry. ComputerWorld has an informative look at the recent problems.

Internet Explorer flaw being actively exploited

Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.

If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.

Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.

No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.

Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.

Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).