In addition to the large batch of patch goodness Microsoft dropped on us yesterday, Adobe and Oracle had their own Valentines to hand out to IT managers.
Adobe had two bulletins, one for Shockwave and another for RoboHelp for Word. RoboHelp is an add-on for Microsoft Office that allows organizations to create help and knowledgebase content.
APSB12-04 for RoboHelp is rated Important and fixes a XSS (cross-site script) vulnerability in versions 8 and 9 of the application.
APSB12-02 for Shockwave player fixes nine vulnerabilities in both the Windows and Macintosh versions of the plugin.
Adobe considers this update to be critical as it can cause remote code execution if exploited.
Keep in mind that Shockwave is not Flash. Most people have no need for Shockwave as it has been largely abandoned on the internet for some years now.
Since mobile platforms like the iPad and Android devices don’t work with it, you probably don’t need it installed at all. Fewer applications, less attack surface.
Java on the other hand is a more difficult topic to tackle. Exploit kits such as Blackhole seem to have the most success targeting unpatched Java installs.
In my experience, Java is the most targeted and easy-to-exploit software on the desktop today, surpassing Adobe Reader and Flash during 2011.
Oracle has released Java 6 update 31 (recommended), Java 5 update 34 and Java 7 update 3, all of which can be downloaded from Java.com.
Mac OS X users will have to wait for Apple to patch the Java included in the operating system. Oracle does not build Java for Mac, but it is still vulnerable all the same.
These updates fix 14 vulnerabilities, all of which can lead to remote code execution without credentials.
Yes, an attacker can choose to run any code on your computer he wishes, without even taking the time to steal your password.
Hopefully that puts into perspective how important these patches really are.
As Paul Baccas of SophosLabs pointed out recently, the bad guys are taking advantage of our laziness and are able to use bugs more than a year old and still succeed often enough to keep trying.
My advice on Java? Java has waned in popularity on most websites, so ditch it if you can.
Of course, there are plenty of specialized applications – some of which you may only use internally – that do still require Java.
Personal firewall to the rescue! I never use Java applications on the internet from my home PC, so I have simply configured the Sophos Client Firewall to allow Java access only to localhost and my home server that has a Java applet.
At work we have a few applications that require Java, but I have configured the firewall to only allow JavaW.exe to communicate with those specific sites.
When you see activity in your logs from JavaW.exe to outside IP addresses, your first assumption should be that you are being exploited.
Whatever you think of Java, Shockwave or even RoboHelp, if they are installed it is highly recommended you patch them as soon as possible.Follow @chetwisniewski