Patch Tuesday for Microsoft has 13 updates. Three of which are critical and the remaining 10 are all rated as important. These patches plug holes that could allow remote code execution or elevation of privilege. The affected programs include the Office suite, Internet Explorer, Media Player, and Windows itself. In particular MS11-091 fixes a publicly disclosed vulnerability in Publisher that could allow remote code execution. MS11-087 addresses a font vulnerability that was exploited with the Duqu malware.
Google Chrome was updated to version 16.0.912.63. It fixes several High and medium risk vulnerabilities.
Google continues to remove apps from the Android Market. Be sure you only download applications from trusted developers.
Adobe has released security advisories for Reader and Acrobat. Adobe is planning to release the update for this critical vulnerability for the 9.x versions of Reader and Acrobat this week and for the 10.x versions in January 2012.
Adobe has also released an update for their Flex SDK. It fixes and issues that could lead to cross-site scripting issues in Flex applications.
Adobe released an update for Flash player and Air in November.
But another Flash update is expected soon due to 0-day vulnerabilities:
ColdFusion was also updated by Adobe to prevent XSS.
Apple has updated iTunes to version 10.5.1 and then 10.5.2. This helps prevent a man-in-the-middle attack. Security changes in 10.5.2 have not yet been published.
Safari 5.1.2 has also been released and while no security issues have been reportedly addressed, several performance and memory bugs have been fixed:
Sophos for Windows 9.7.6 is our currently deployed version, but 10.0 is now available and will be coming soon after the end of the semester. Advertised improvements in the new version include better web protection and better performance on virtual machines. While the system tray icon is new, the other features and operations are largely the same and should all look familiar. Sophos for Mac remains at version 7.3.6.
Oracle has released Java 6.0 update 30 this week, and while it doesn’t contain any security fixes over update 29, it does address numerous regressions and bugs:
Have a safe and happy holiday!
ITS Desktop Security Analyst
ITS Desktop Security Assistant