Patch Tuesday for September 2012 – All about Adobe


NOTE:Thank you from Naked Security for the comments. We realise that wording here was a little confusing. We have updated the article. Thanks for keeping us on our toes!

As is customary, Microsoft released their monthly batch of fixes this morning. If you consider two to be a batch and only if you run Visual Studio Team Foundation Server 2010 or SMS 2003 SP3/SCCM 2007 SP2.

Both vulnerabilities (MS12-061 and MS12-062) are elevation of privilege vulnerabilities. This means the attacker would need to have already gained access to the system.

An elevation of privilege allows a regular non-administrative user to gain admin rights through the vulnerability.

The bigger story is Adobe’s fixes for Flash, Photoshop CS6 and ColdFusion, all of which have been released during the last three weeks.

The most important bulletin is APSB12-19, first released August 21, fixes seven vulnerabilities in Flash Player.

The first five vulnerabilities can all result in remote code execution (RCE). These are critical and should make patching Flash Player the highest priority.

Of the other two, one is a information disclosure vulnerability and the other was causing crashes for Firefox users.

As always the latest Flash Player is available for all platforms except Android from

APSB12-20, first issued August 30, covers two remote code execution vulnerabilities in Adobe Photoshop CS6. These vulnerabilities are considered critical and users of Photoshop CS6 would be advised to update to version 13.0.1.

Adobe has stated that earlier versions of Photoshop are not affected.

Lastly APSB12-21, released yesterday, patches a denial-of-service (DoS) vulnerability in ColdFusion versions 8-10. More details are available in Adobe’s bulletin.