Black Tuesday: Microsoft secures IE, Adobe its Flash Player

microsoft_logoThe Redmond company released 6 security bulletins as announced last Friday. They close 12 security holes, most importantly some issues in the Internet Explorer that allow for drive-by-downloads – those set the users at risk to infect their computer by surfing to an infected website. Affected are IE 5, 6, 7 and 8, even in Windows 7. Exploit code is already publicly available, so this patch should get applied ASAP.

Another hole that Microsoft closes – which would allow for worms to spread – is in Windows’ Internet Authentication Service. This is used for authentication via MS-CHAP v2 in combination with PEAP. Some Internet providers used such authentication for dial-in via modem, but it is sometimes also used in the present for example for VPN connections or tunneling.

The last security vulnerability with a ‘critical’ rating is within Project from Microsoft Office. By opening specially crafted documents, it is possible to infect the computer with malware. The other 3 vulnerabilities with the rating ‘important’ are within Wordpad and the Office Text Converters, in the Active Directory Federation Services and in the Local Security Authority Subsystem Service (LSASS). As Microsoft thinks that exploits are likely to appear very soon for all these vulnerabilities, the updates should be installed immediately.

logo-flashplayerAdobe also used the Patch Tuesday to plug 7 security holes within Flash Player. These affect Adobe Flash Player and Adobe AIR 1.5.2 and earlier versions of these programs. The company recommends to update to the new versions Flash Player and AIR 1.5.3, respectively. The updated versions are available for all supported platforms, namely Windows, Linux and Mac OS X.

As the vulnerabilities in Flash Player and AIR allow for drive-by-downloads (infecting the computer just by accidentally surfing to an infected website) as well, Adobe recommends to update as soon as possible. The new Flash Player is available in the Flash Player Download Center, while the AIR update is available in the AIR Download Center.

Dirk Knop
Technical Editor