By: Jason Miller, Manager, Research and Development
It has been a busy week for patch releases. Here is a quick recap of the happenings in patch management.
Adobe released a new security bulletin for Adobe Flash Player and Adobe Air. APSB12-24 addresses seven vulnerabilities and the following versions address these issues:
- Adobe Flash Player 11.5.502.110
- Adobe Flash Player 10.3.183.43
- Adobe Air 184.108.40.2060
It is important to note that the vulnerabilities also affect the Adobe Flash Player 10 product line as well. In the ‘Priority and Ratings,’ ‘Affected Software Versions,’ and ‘ Summary’ on the Adobe security bulletin page do not list Adobe Flash Player 10 as an affected product. The CVE filed on behalf of the vulnerabilities state that Adobe Flash Player 10 is indeed affected by the vulnerabilities. In addition, the Adobe Security Bulletin page has Adobe Flash Player 10 affected in the ‘Solution’ area.
With the Adobe Flash Player release, I also saw a coordinated release effort from Google and Microsoft to address vulnerable Adobe Flash Player programs embedded in their browsers. Google Chrome / Chrome Frame version 23.0.1271.64 fixes 14 vulnerabilities and includes the latest version of the Adobe Flash Player. This new version of the Google browser includes a new ‘Do Not Track’ feature that sends a request to a website asking it to not track information. On the Microsoft side, Microsoft Security Advisory 2755801 was updated to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.
Opera also released a new version of their browser for the first time since June of this year. Opera 12.10 addresses six vulnerabilities. In the release notes, you will need to scroll down to the beta section to see that this release actually fixed security vulnerabilities. They are noted in the beta section for version 12.10.
HP released their first update since June of this year for their System Management Homepage product. HP System Management Homepage 7.1.2 appears to be a security update and is rated as “Recommended” from HP. The release notes for this newer version states “Improved security features.” Vulnerability information for HP System Management Homepage releases typically take a few weeks after the product release, so I will be watching the national vulnerability database for more information.
Apple joined the busy patching week with a new release of Apple QuickTime. Apple QuickTime 7.7.3 is a security update addressing nine vulnerabilities. One of the vulnerabilities fixed with this release is remarkably from 2011 (CVE-2011-1374).
AOL Instant Messenger 220.127.116.11 has been released to the mainstream. This product typically does not have release notes associated with each version. I will be waiting to see if a CVE is released that would mark this release as a security bulletin.
Next Tuesday marks the November 2012 edition of Patch Tuesday. Microsoft is set to release six bulletins addressing 13 vulnerabilities. This Patch Tuesday will be highlighted by the first security bulletin releases for the new Microsoft Windows 8 and Server 2012 operating systems.
There are reports of a Zero-day vulnerability in Adobe Reader. No confirmation or information has been released yet by Adobe. There is a chance that Adobe could be releasing an update for Adobe Reader on Patch Tuesday.
I will be back next Tuesday to talk in detail on all of the activities for the November 2012 Patch Tuesday.
– Jason Miller
P.S. Also, check out a 30-day free trial of VMware Go Pro!