Windows users, you may have noticed that your devices have some new updates available. What's that about? Microsoft released several security patches yesterday (July 8) as part of its monthly Patch Tuesday round of updates. Most require a computer restart, but they fix dozens of bugs and flaws in Microsoft software.
Adobe Systems also yesterday issued a number of security patches for Windows, Mac and Linux users, including the much-publicized "Rosetta Flash" attack. Read on for a full breakdown of the Windows and Adobe updates and what they mean for you.
The newly released Adobe Flash Player version 220.127.116.11 (or 18.104.22.1684 on Linux) contains a patch for a vulnerability that could let attackers steal authentication tokens from many websites, including Google, Twitter, eBay, Tumblr and Instagram. Google security engineer Michele Spagnuolo found the flaw and created a proof-of-concept exploit he called Rosetta Flash to demonstrate it.
Over the weekend, Google and Twitter patched their own sites (and Tumblr did yesterday), but individuals who upgrade to the newest Adobe software should be secure on their end. Adobe says it is not aware of any criminals exploiting this flaw in the wild.
The other two patches in the Flash Player update fix minor issues first discovered in December 2013, but which weren't publicly disclosed until yesterday.
If you're using Google Chrome or Microsoft Internet Explorer 10 or 11, your Flash Player browser plugin will auto-update. Otherwise, you can find the updates on Adobe's website. Heads up, though: Adobe bundles McAfee Security Scan with the update downloaded directly from the website. This piece of software simply does a malware scan, but if you don't want it, uncheck McAfee Security Scan during the installation process.
One more complication: If you're running an older version of Internet Explorer alongside one or more non-Chrome browsers, you'll need to download and install two separate patches: one for IE, the other for the other browsers.
As promised in its pre-Patch Tuesday announcement, Microsoft has released security updates for all active versions of the Windows operating system as well as the Internet Explorer browser. Before each Patch Tuesday, Microsoft issues advisory bulletins that vaguely describe each category of upcoming patches, and this month two bulletins were rated "critical," Microsoft's highest level of security threat.
Bulletin 1 turned out to contain several patches for remote-code-execution (RCE) bugs in all versions of IE (6 through 11) on all supported versions of Windows (Vista through 8.1/R 8.1 and Windows Server 2003 through 2012). RCE flaws let attackers seize control of individuals' computers without user interaction.
Only one of the IE bugs had previously been disclosed to the public, so it's highly unlikely criminals were able to exploit the others. The disclosed bug, an extended-validation SSL certificate flaw, doesn't appear to have been exploited either. Nevertheless, users shouldn't delay in applying Microsoft's Bulletin 1.
Bulletin 2, also rated "critical," contained one RCE patch for all supported Windows operating systems except Windows Server 2003 and Server Core. The patch fixes a flaw that could be exploited by using a .JNT file used by Windows Journal, note-taking software that, despite its relative obscurity, comes pre-loaded on all Windows computers.
Bulletins 3, 4 and 5 each turned out to fix a single "elevation-of-privilege" flaw, which lets attackers give themselves administrator-level user privileges on a compromised computer. Used in combination with RCE flaws, elevation-of-privilege flaws can be particularly nasty. But because attackers need physical access to a computer to exploit these flaws, these three bulletins were rated only "important."
The elevation-of-privilege flaws were privately reported, so there's not much chance an attacker has exploited them. One requires attackers to upload a specially crafted program to the targeted computer. Another requires attackers to have login credentials, while the third exists in Microsoft's DirectShow API and requires would-be attackers to first exploit a different flaw.
The flaw addressed in Bulletin 6, rated "moderate," permits a denial-of-service attack on Microsoft Service Bus, an optional piece of software for Windows Server 2008 R2, 2012 and 2012 R2. Specially crafted networking requests could be used to make the software stop working.
The full rundown of the bulletins and the flaws they address is available on Microsoft's website.