Oracle Java and Adobe Shockwave patches for February too

Filed Under: Adobe, Apple, Featured, Java, Oracle, Vulnerability

Patch Tuesday denim tagIn addition to the large batch of patch goodness Microsoft dropped on us yesterday, Adobe and Oracle had their own Valentines to hand out to IT managers.

Adobe had two bulletins, one for Shockwave and another for RoboHelp for Word. RoboHelp is an add-on for Microsoft Office that allows organizations to create help and knowledgebase content.

APSB12-04 for RoboHelp is rated Important and fixes a XSS (cross-site script) vulnerability in versions 8 and 9 of the application.

APSB12-02 for Shockwave player fixes nine vulnerabilities in both the Windows and Macintosh versions of the plugin.

Adobe considers this update to be critical as it can cause remote code execution if exploited.

Keep in mind that Shockwave is not Flash. Most people have no need for Shockwave as it has been largely abandoned on the internet for some years now.

Since mobile platforms like the iPad and Android devices don't work with it, you probably don't need it installed at all. Fewer applications, less attack surface.

Java logoJava on the other hand is a more difficult topic to tackle. Exploit kits such as Blackhole seem to have the most success targeting unpatched Java installs.

In my experience, Java is the most targeted and easy-to-exploit software on the desktop today, surpassing Adobe Reader and Flash during 2011.

Oracle has released Java 6 update 31 (recommended), Java 5 update 34 and Java 7 update 3, all of which can be downloaded from Java.com.

Mac OS X users will have to wait for Apple to patch the Java included in the operating system. Oracle does not build Java for Mac, but it is still vulnerable all the same.

These updates fix 14 vulnerabilities, all of which can lead to remote code execution without credentials.

Yes, an attacker can choose to run any code on your computer he wishes, without even taking the time to steal your password.

Hopefully that puts into perspective how important these patches really are.

Bug coming out of a laptop screenAs Paul Baccas of SophosLabs pointed out recently, the bad guys are taking advantage of our laziness and are able to use bugs more than a year old and still succeed often enough to keep trying.

My advice on Java? Java has waned in popularity on most websites, so ditch it if you can.

Of course, there are plenty of specialized applications - some of which you may only use internally - that do still require Java.

Personal firewall to the rescue! I never use Java applications on the internet from my home PC, so I have simply configured the Sophos Client Firewall to allow Java access only to localhost and my home server that has a Java applet.

At work we have a few applications that require Java, but I have configured the firewall to only allow JavaW.exe to communicate with those specific sites.

When you see activity in your logs from JavaW.exe to outside IP addresses, your first assumption should be that you are being exploited.

Whatever you think of Java, Shockwave or even RoboHelp, if they are installed it is highly recommended you patch them as soon as possible.

Update: Naked Security reader @chasapple points out that later today Adobe has released a Flash update as well. The patch fixes seven critical vulnerabilities in Adobe Flash Player.

, , , , , ,

You might like

4 Responses to Oracle Java and Adobe Shockwave patches for February too

  1. Tony B. · 982 days ago

    I'd like Adobe to release a secure Flash Player version that doesn't repeatedly crash my XPSP3 system. Even after multiple rebuilds (and OS updates), anything later than version 10.1.53.64 gives me terminal grief.

  2. Robert Wurzburg · 980 days ago

    Whenever security updates are released, I never wait for the Automatic Update check.
    I go directly to each website then download and install all appropriate updates for all
    my computers, one by one. I often get them before any Security Bulletins are emailed
    to me, or the program auto-updaters check for available updates.
    A minute spent unpatched is a vulnerable one, and not necessary if you stay on top
    of all your programs and OS like I do. I check every website at least once a week.

  3. Kevn · 929 days ago

    I can't find Java 5 update 34 at Java.com or anywhere else. Java.com only has Java 6. Java 7 isn't even available at Java.com. Oracle's Java developer web site tops out at Java 5 update 22.

  4. steph t · 837 days ago

    I can't find a simple link for a patch...I thought I had all the updates, but my Kaspersky finds 2 vulnerabilities in Java and in Adobe...please help

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.