Patch Tuesday for September 2012 - All about Adobe

Filed Under: Adobe, Adobe Flash, Featured, Microsoft, Vulnerability

NOTE:Thank you from Naked Security for the comments. We realise that wording here was a little confusing. We have updated the article. Thanks for keeping us on our toes!

As is customary, Microsoft released their monthly batch of fixes this morning. If you consider two to be a batch and only if you run Visual Studio Team Foundation Server 2010 or SMS 2003 SP3/SCCM 2007 SP2.

Both vulnerabilities (MS12-061 and MS12-062) are elevation of privilege vulnerabilities. This means the attacker would need to have already gained access to the system.

An elevation of privilege allows a regular non-administrative user to gain admin rights through the vulnerability.

The bigger story is Adobe's fixes for Flash, Photoshop CS6 and ColdFusion, all of which have been released during the last three weeks.

The most important bulletin is APSB12-19, first released August 21, fixes seven vulnerabilities in Flash Player.

The first five vulnerabilities can all result in remote code execution (RCE). These are critical and should make patching Flash Player the highest priority.

Of the other two, one is a information disclosure vulnerability and the other was causing crashes for Firefox users.

As always the latest Flash Player is available for all platforms except Android from http://get.adobe.com/flashplayer.

APSB12-20, first issued August 30, covers two remote code execution vulnerabilities in Adobe Photoshop CS6. These vulnerabilities are considered critical and users of Photoshop CS6 would be advised to update to version 13.0.1.

Adobe has stated that earlier versions of Photoshop are not affected.

Lastly APSB12-21, released yesterday, patches a denial-of-service (DoS) vulnerability in ColdFusion versions 8-10. More details are available in Adobe's bulletin.

, , , ,

You might like

6 Responses to Patch Tuesday for September 2012 - All about Adobe

  1. rahimali74 · 681 days ago

    what rock have you people been living under? the APSB12-19 bulletin was originally released Aug 21, with last update on Aug 30 which means you are almost two weeks late on the draw which might not be so atrocious were you not a security company. shameful!

    • bill · 680 days ago

      I think it was an honest mistake, it's been corrected and has hardly done any harm. Why the vile?

  2. Torben B. Sørensen · 681 days ago

    APSB12-19 was released on August 21, not yesterday. The Photoshop patch is also old. Only the ColdFusion patch was released on Patch Tuesday.

    • JimboC · 681 days ago

      Hi Torben B. Sørensen,

      Agreed, the Flash update is from August 21st and the Photoshop update was released on the 30th of August.

      This is very misleading, at first I thought a newer Adobe Flash was available but after checking Adobe’s PSIRT blog ( http://blogs.adobe.com/psirt/ ) I found this was not the case.

      @Chester: If you wish to remind the readers of this blog to apply these updates if they have not already, please feel free to do so. What you have written above gives the false impression that all of the updates were released yesterday and does not read like a reminder to patch.

      e.g. "The bigger story today is Adobe's fixes for Flash, Photoshop CS6 and ColdFusion."

      Thanks.

  3. Bill · 681 days ago

    Yep, can't find a new Flash version.

  4. aname · 680 days ago

    "As always the latest Flash Player is available for all platforms except Android"

    it isn't available on ios

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.