Security updates from Microsoft and Adobe
Microsoft has released seven bulletins to close eight security holes in its products. These include vulnerabilities – in Windows Media, Windows Packager and Windows Object Manager – which the company rates as critical. The bugs could be exploited by attackers to inject and execute malicious code on a victim's system via a specially crafted file. However, Windows 7 is not affected by the problem in Windows Media.
The company has finally released an update for Internet Explorer to fix the vulnerability in the SSL3.0/TLS1.0 protocol that has been known about since September. The related attack, known as BEAST (Browser Exploit Against SSL/TLS), allows attackers to, for example, decrypt cookies that are transmitted in encrypted form and use them for unauthorised web page logins. Microsoft had planned to publish this update in December but later delayed the release due to compatibility issues with third party products.
On Tuesday Adobe published versions 10.1.2 and 9.5 of its Acrobat and Reader products for Windows and Mac OS X. The updates fix critical vulnerabilities that could be used by an attacker to cause the application to crash and potentially take control of an affected system.
Versions 10.1.1 and 9.4.7 and earlier of Acrobat and Reader are affected; all users are advised to upgrade. An overview of the Adobe patches can be found in the company's security bulletin for Reader and Acrobat.