This Week in Patching – 12/21/2012

Here is a quick recap in the world of patch management.  This week was highlighted by security updates for RealPlayer and Opera.

Late last Friday, Real Networks released an update for the RealPlayer media player.  RealPlayer 16.0.0.282 is a security update addressing two vulnerabilities.

On Saturday, a new version of VLC Media player was made available.  VLC 2.0.5 is a non-security that now includes support for Microsoft Windows 8.

On Sunday, we saw two new patch releases.  CDBurnerXP 4.5.0.3685 and Notepad++ 6.2.3 are non-security updates.

On Monday, new updates were made available for the Mozy software backup program.  MozyHome / MozyPro 2.18.1.235 are both non-security updates.

On Tuesday, Opera released a new version of their Internet browser.  Opera 12.12 is a security update addressing two vulnerabilities on Windows that could lead to Remote Code Execution if exploited.

Happy Patching!

 

– Jason Miller

This Week in Patching – 12/14/2012

This week in patching was highlighted by Microsoft’s December 2012 Patch Tuesday.  Microsoft released seven security bulletins addressing 12 vulnerabilities.  You can read my full write up on Patch Tuesday here.

On the non-Microsoft front, Adobe released an update for their Adobe Flash Player and Air products.  Adobe Security Bulletin APSB12-27 addresses three vulnerabilities as is rated as Critical.  Adobe has started the trend of releasing security updates for Flash Player on Microsoft’s Patch Tuesday.  This trend will probably continue as Microsoft and Google both bundle Adobe Flash Player in their latest browsers.

On that note, Microsoft released an update for their security advisory (KB2755801) to include the latest version of Adobe Flash for Internet Explorer 10.  Google released an update on Patch Tuesday for their Chrome browser.  Google Chrome 23.0.1271.97 contains the latest version of Adobe Flash Player as well as addressing six Google Chrome vulnerabilities.

To wrap up Patch Tuesday, Apache released a new version of Tomcat for Windows with version 7.0.34.  This latest version of Tomcat is a non-security update.

On Thursday, Oracle provided updates for Java version 6 and 7.  Java 6 update 38 and Java 7 update 10 are non-security releases.  The next scheduled security update for Oracle Java is planned for February 19, 2013.  It is important to note that the next scheduled security update will be the last time Java version 6 will receive a security update.  At that time, Oracle will continue to provide security updates for Java version 7.  In the next few months, administrators should look at testing the upgrade for Java version 6 to version 7.  Java can be quite tricky to upgrade.  There are occasions where older software programs that rely on Java simply will not work with the latest version.  By June 18, 2013, administrators should be upgraded to Java 7.  That date will be the next scheduled security update after Java 6 has reached end of life for support.

On Friday, Apple provided updates for their iTunes product with version 11.01.  This update addresses non-security issues with their recent major upgrade in version 11.

Typically, the last two weeks of the year are very quiet for vendors releasing patches for their software.  If any vendor does release updates, I will be back next Friday with an update on the happenings in patch management.  If not, I will be getting a head start on ringing in the New Year.

Happy Patching and Happy Holidays!

 

– Jason Miller

December 2012 Patch Tuesday Overview

For December 2012 Patch Tuesday, Microsoft has released seven new security bulletins addressing 12 vulnerabilities.  This month’s Patch Tuesday is affects every Microsoft operating system and every supported version of Microsoft Internet Explorer.  All machines on an administrator’s network will need to be patched this month.

There are two security bulletins that will need to be addressed right away.  First, Microsoft security bulletin MS12-077 addresses three vulnerabilities in all supported versions of Microsoft Internet Explorer.  Navigating to a malicious website in an unpatched browser can result in Remote Code Execution.  With any Internet browser, it is important to patch immediately as browsers are one of the most targeted software programs by attackers.

The second bulletin administrators should look at patching right away is MS12-079.  This security bulletin addresses one vulnerability in Microsoft Word.  Opening a malicious RTF document can result in Remote Code Execution.  By default, Microsoft Outlook 2007 uses Word 2007 as the default email reader.  Organizations that use Microsoft Outlook 2007 will want to raise the priority of patching this bulletin as simply previewing a malicious document can exploit the vulnerability.

Back in October 2012, Microsoft released Security Advisory 2749655.  Microsoft identified an issue where patch packages and patch files were incorrectly signed.  With the digital certificate issue, Microsoft has been identifying these patches and re-releasing them with a correctly signed digital signature.  Today, Microsoft is re-releasing four bulletins with new patches.

MS12-043
MS12-057
MS12-059
MS12-060

This brings the Microsoft security bulletins up to 11 this month.  These re-released patches are not as critical to deploy to the network as the original seven December 2012 Patch Tuesday patches.  If you have already deployed these re-released patches when they were released, administrators are protected from the vulnerabilities.  Although, administrators will want to ensure they have patched the 10 re-released patches before early 2013.

On the non-Microsoft front, there are a few vendors releasing updates for their products.  Adobe has released two security bulletins.  Adobe security bulletin APSB12-026 addresses one vulnerability in Adobe ColdFusion and is rated as Important.  Adobe security bulletin APSB12-027 addresses three vulnerabilities in Adobe Flash Player 10/11 and Adobe Air 3.  Adobe has rated the security bulletin for Flash Player and Air as Critical.

With every Adobe Flash Player security update, Google and Microsoft are also involved with the security patch release.  Google has updated their Chrome browser with version 23.0.1271.97.  This new version includes the Adobe Flash Player security update as well as addressing six vulnerabilities in Google Chrome.  Microsoft updated their Security Advisory (2755801) to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.  Microsoft’s Internet Explorer 10 on Windows 8 / Server 2012 embeds Adobe Flash Player in the browser as well.

The last vendor providing updates to their software so far on this Patch Tuesday is Apache.  Apache has released Apache Tomcat for Windows version 7.0.34.  This update is a non-security update.

The 2012 Patch Tuesday releases are not going out with a whimper the year.  With the seven new Microsoft security bulletins, the four Microsoft security bulletin re-releases and the Adobe Flash Player security update, administrators will have a significant amount of patching to complete before they can start focusing  on the holidays.

I will be going over the December Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, December 12th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 12/7/2012

This week in patching was a very light week with very few releases.  This is not unusual for this time of the year.  In the past few years, I typically see a lighter number of releases from software vendors during the month of December.  Here is a quick recap on the happenings in patching this week:

On Monday, Foxit released a new version of Foxit Reader with version 5.4.4.11281.  This update is a non-security update.

On Wednesday, The Document Foundation released an update for their 3.6.x LibreOffice program with LibreOffice 3.6.4.  This release is also a non-security update.

Next Tuesday marks the December 2012 edition of Patch Tuesday.  I will be going into detail on all of the happenings here next Tuesday.

Happy Patching!

 

– Jason Miller

December 2012 Patch Tuesday Advanced Notification

During this holiday season, Microsoft is giving the gift of patches!  Microsoft has announced their December 2012 Advance Notification for the upcoming Patch Tuesday.  Microsoft plans to release seven new security bulletins addressing 11 vulnerabilities.

 

Security Bulletin Breakdown:

  • 5 bulletins are rated as Critical
  • 2 bulletins are rated as Important
  • 6 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 1 bulletin addressing vulnerabilities that could lead to Security Feature Bypass

 

Affected Products:

  • All supported versions of Microsoft Internet Explorer
  • All supported Microsoft Operating Systems including Windows 8, 8 RT and Server 2012
  • Microsoft Word 2003, 2007, 2010
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft Exchange Server 2007, 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Office Web Apps 2010

I will be going over the December Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the November Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, December 12th at 11:00 a.m. CT.  You can register for this webcast here.

 

– Jason Miller