Network News

X My Profile
View More Activity

Adobe, Apple and Microsoft Issue Security Updates

This turned out to be one of the busiest Patch Tuesdays in a long while: Adobe, Apple and Microsoft all independently released software security updates today.

Adobe patched two vulnerabilities in its PDF Reader and Acrobat software. The update applies to all supported versions of both programs on Windows, Mac and Linux systems.

Adobe vulnerabilities are some of the most heavily used in targeted attacks, and they show up quite a bit in exploit kits that are sewn into hacked and malicious Web sites. So, if you use Reader or Acrobat, try not to let too much time elapse before you apply this update.

Redmond issued a single update to plug at least 16 security holes in its PowerPoint software. The Microsoft Office PowerPoint update is rated critical and applies to all supported versions of PowerPoint, including Office for Mac, Microsoft Works 8.5 and 9.0, as well as various Office Compatibility Packs. Users of Office XP and later can grab the update from Windows Update. Office 2000 users can grab the update from this link (you will need to have at least Service Pack 3 installed to apply this update).

Apple's Security Update 2009-002 is a massive patch batch that plugs more than 60 vulnerabilities in OS X and software designed for the Mac. Apple also released today Safari 3.2.3 for both Mac and Windows systems, an update that addresses at least three security flaws. The operating system update is available through Software Update or via Apple Downloads, while Safari for Windows users can grab the latest version using the bundled Apple Software Update application.

Update, May 13, 10:40 a.m. ET: A couple of Office for Mac users have written in confused because they couldn't find a link to the Mac updates. The answer is such a link doesn't exist at the moment. Microsoft said it is still working on patching these vulnerabilities in their Mac versions.

From Microsoft's Security & Defense blog:

The Mac version of Office is affected but the packages are still in testing so we are "going live" today with Windows packages only. We normally do not update one supported platform before another but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages. We will revise the security bulletin when the Mac packages are available. None of the PPT exploit samples we have analyzed will reliably exploit the Mac version so we didn't want to hold the Windows security update while we wait for Mac packages. We are still hard at work on the Mac package testing.

This decision to ship patches for Windows versions of Office but not for Macs apparently doesn't sit well with some folks, including Internet Storm Center incident handler Swa Frantzen, who chides Microsoft for not following its own "responsible disclosure" mantra with this patch. Frantzen notes that cyber crooks typically disassemble Microsoft security patches to try and figure out where the vulnerability lies and how to exploit it, and in releasing Windows updates before Mac patches are available, Microsoft is increasing the likelihood that attackers will use that knowledge to attack Mac users.

By Brian Krebs  |  May 12, 2009; 10:15 PM ET
Categories:  New Patches , Safety Tips  | Tags: adobe, apple, microsoft patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Pirated Version of Windows 7 Has Malware Built-in
Next: Heartland Breach Blamed for Failed Membership Renewals

Comments

Brian Krebs, you are always very helpful in your Column and one would hope that these software companies, at least have the decency to thank you for the service that you render through your column .

Posted by: winemaster2 | May 13, 2009 5:20 AM | Report abuse

I am running WinXP Home SP3 with Adobe Acrobat Reader 9.1.0 - I downloaded AdbeRdrUpd911_all_incr.msp to update but when I double click on the icon I get a message "Windows cannot open this file".

Any suggestions?

Posted by: Robert76 | May 13, 2009 10:23 AM | Report abuse

@ Robert76, this is a Windows Installer Patch, perhaps your Windows Installer needs updating/reinstalling?

Posted by: satrow | May 13, 2009 6:45 PM | Report abuse

God rid of Microsoft Office years ago -- good riddance! Sun Microsystems free OpenOffice.org (now version 3.01) will satisfy all but the most discriminating and fussy Microsoft Office users, has an easy learning curve, and looks and feels very much like Office. Ditto for Adobe Reader. If you're not using Adobe Acrobat, get rid of Reader (bloated) and use Foxit, which is slimmer and loads faster.

Posted by: AnnArborGuy | May 14, 2009 8:44 AM | Report abuse

satrow:

I found a way to update to 911 by running msiexec.exe from the command prompt

Posted by: Robert76 | May 14, 2009 10:06 AM | Report abuse

Thank you, yet again, Brian.

I grabbed the Adobe update. But, I'm confused about your description of the Microsoft ones. Are they only for PowerPoint, which I don't have? I don't have automatic updates - can I just skip Microsoft this month?

Posted by: JBV1 | May 14, 2009 1:11 PM | Report abuse

Hi JBV1- Yes, the updates this month were exclusively for PowerPoint/Office. Microsoft also pushed out updates for its malicious software removal tool, so if you care about running that you might still want to visit Windows update.

Posted by: BTKrebs | May 14, 2009 1:42 PM | Report abuse

I'm afraid I've got nothing to offer Mac users that would make them feel better about Microsoft not offering patches for the Mac other than to say this is not a prudent thing to do during an Obama administration, appearances and such.

As for Windows users of PowerPoint, Acrobat, Safari,and iTunes, people with AppGuard PC protection software are protected without these patches, even against zero-day variants.

Patches are still worthwhile implementing, they just aren't urgently needed.

Posted by: eiverson1 | May 14, 2009 2:48 PM | Report abuse

I accepted the patch for the malicious s/w removal tool, but declined the PP patch as I never installed PP. However, each morning I get reminded that the PP patch awaits my attention. Will this go on forever, or can I tell MS Update somehow to stop the PP notices?

Posted by: Bartolo1 | May 18, 2009 7:02 AM | Report abuse

" Will this go on forever, or can I tell MS Update somehow to stop the PP notices?"

If you manually go to microsoft update you will see the menu of updates it is offering. There should be an option to 'hide' the update you don't want to hear about anymore.

Posted by: GRILLADES | May 19, 2009 2:07 PM | Report abuse

" Will this go on forever, or can I tell MS Update somehow to stop the PP notices?"

If you manually go to microsoft update you will see the menu of updates it is offering. There should be an option to 'hide' the update you don't want to hear about anymore.

Posted by: GRILLADES | May 19, 2009 2:07 PM | Report abuse

Grillades: Thanks for the reply. When I go to MS updates via my Control Panel and have it check for Express Updates it finds the PP patch. However, I don't see any way to hide this update. Under their FAQ list there is an entry concerning "Don't show me this update again" but no indication of how you get to that option. There is an entry for "Show my hidden updates", but I have none.

Posted by: Bartolo1 | May 20, 2009 4:20 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company