Adobe and Microsoft on Tuesday each released security updates to remedy critical vulnerabilities in their software. Adobe pushed patches to plug at least 56 security holes present in Adobe Reader and Acrobat, as well as a fix for Flash Player that corrects 13 flaws. Separately, Microsoft issued six update bundles to address at least 33 security problems in various versions of Windows, Microsoft Office and other software.
Three of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning they could be exploited by hackers or malware to take complete control over vulnerable systems without any help from users. According to security firm Shavlik, four of the flaws involve vulnerabilities that were publicly disclosed by someone other than Microsoft prior to this week. The implication here is that malware writers may have had a head start figuring out ways to exploit several of these flaws, so it’s probably best not to let too much grass grow under your feet before applying this month’s updates.
As per usual, the largest number of flaws addressed in a single patch from Microsoft target multiple versions of Internet Explorer, the default browser on Windows — as well as Microsoft Edge, Redmond’s replacement browser for IE. Other critical fixes concern the Windows operating system and Office.
As it usually does on Patch Tuesday, Adobe pushed a critical update for its ubiquitous Flash Player software that plugs multiple flaws. Find out if you have Flash installed and its current version number by visiting this page.
If you use and need Flash Player, it’s time to update the program (the latest version is220.127.116.11 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 18.104.22.168); each should auto-update to the latest.
Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.
If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash content gets to load when you visit a Web page.
If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
There is also a security update available for Adobe AIR. If you use this program, please take a moment today to patch it. AIR should prompt you to update to the latest version if you launch an application the requires AIR, such as Pandora.
Finally, Adobe issued a fairly substantial fix for Adobe Reader and Acrobat that fixes more than four dozen vulnerabilities in these programs. For more on the latest versions and download link, check out Adobe’s security advisory.