It was the second Tuesday of the month yesterday, meaning that it was once again time for Microsoft to roll out its regular collection of security updates under the familiar moniker of “Patch Tuesday”.
The bundle of patches from Microsoft covers at least 23 documented vulnerabilities, and includes fixes for exploits that could be invoked in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.
The worst of the Microsoft vulnerabilities have earned the highest severity level of “Critical”, and require no user interaction for a malicious attacker to run code on a victim’s computer.
One vulnerability, which many companies will certainly want to patch against, is the one detailed in MS12-029. If left unpatched, the vulnerability could allow remote code execution if a user opens a boobytrapped RTF file.
As always, you can read the interpretation of SophosLabs on the seriousness of the various Microsoft vulnerabilities on the vulnerabilities page.
Remember, if you don’t have auto-updating turned on, you can click the Windows Update icon on the Start Menu to download Microsoft security updates.
Separately, Adobe issued security bulletins yesterday related to Adobe Illustrator, Adobe Photoshop (CS5 and earlier), Adobe Flash Professional and Adobe Shockwave Player.
Any Windows or Mac computer user who still feels it’s necessary to run Adobe Shockwave Player is advised to update to the latest version (currently 184.108.40.2065).
11 comments on “Patch now! Adobe and Microsoft push out critical security fixes”
Only the shockwave player update is free to existing users. All others require upgrading to the next version – $
You forgot Java… They updated to Java 7 Update 4 at the Get Java website for consumers.
Yesterday was the second Tuesday of the month, not the first, its the second Tuesday every month that Microsoft release their regular security updates.
I was at the dentist this morning. Clearly I was still under the influence of whatever she injected me with judging by the number of corrections I have had to make to this article. Thanks!
Adobe released a Flashplayer update v220.127.116.11, up from v18.104.22.168 last week
you are all way behind on this. Flashplayer debugger is always free for browsers.
Java Release 6 Update 32 was available at least as early as May 4, 2012 when I found
it on their website for download.
You people at Sophos are behind the times on update notifications for Naked Security.
Hello again Robert.
Sophos provided insight on the Adobe Flashplayer update last week.
Thank you, you didn't include the Flashplayer update in your article today.
Adobe has been sending out their Security Bulletins about a week after
the updates are available for download.
I check Adobe's and SunMicro's websites at least once a week for updates
and always check Adobe Reader using the program's menu, never down-
load any of these programs from any other website. Go directly to them.
Then you can be sure you are getting the legitimate updates and programs
instead of something malicious. Only get Explorer directly from Microsoft,
instead of another website that can change your search engine, home
page and other things.
You may wish to monitor this page to get the latest vulnerability assessments from SophosLabs.
Of course, it's never going to include assessments of every vulnerability from every vendor – but we do what we can with the resources we have available to us.
It seems you’re outdated too. It’s now Java 7 Update 4. Java 6 is now legacy. Java is on the 7 branch.
I'm surprised there's no commentary here on Adobe's strategy for CS5 security "updates".
Am I alone in thinking if Apple issued a "security update" which required an expensive purchase, you'd – correctly – be all over them like a rash?
Why is Adobe getting a free pass in the security and technology press on this shoddy behaviour?
Thanks for the message Gavin.
I've written about Adobe's "paid-for" security fixes here http://nakedsecurity.sophos.com/2012/05/11/adobe-…