Patch Tuesday for Microsoft has 13 updates. Three of which are critical and the remaining 10 are all rated as important. These patches plug holes that could allow remote code execution or elevation of privilege. The affected programs include the Office suite, Internet Explorer, Media Player, and Windows itself. In particular MS11-091 fixes a publicly disclosed vulnerability in Publisher that could allow remote code execution. MS11-087 addresses a font vulnerability that was exploited with the Duqu malware.
http://technet.microsoft.com/en-us/security/bulletin/ms11-dec
Google Chrome was updated to version 16.0.912.63. It fixes several High and medium risk vulnerabilities.
http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html
Google continues to remove apps from the Android Market. Be sure you only download applications from trusted developers.
Adobe has released security advisories for Reader and Acrobat. Adobe is planning to release the update for this critical vulnerability for the 9.x versions of Reader and Acrobat this week and for the 10.x versions in January 2012.
http://www.adobe.com/support/security/advisories/apsa11-04.html
Adobe has also released an update for their Flex SDK. It fixes and issues that could lead to cross-site scripting issues in Flex applications.
http://www.adobe.com/support/security/bulletins/apsb11-25.html
Adobe released an update for Flash player and Air in November.
http://www.adobe.com/support/security/bulletins/apsb11-28.html
But another Flash update is expected soon due to 0-day vulnerabilities:
http://www.pcworld.com/businesscenter/article/245843/
ColdFusion was also updated by Adobe to prevent XSS.
http://www.adobe.com/support/security/bulletins/apsb11-29.html
Apple has updated iTunes to version 10.5.1 and then 10.5.2. This helps prevent a man-in-the-middle attack. Security changes in 10.5.2 have not yet been published.
http://support.apple.com/kb/HT5030
http://support.apple.com/kb/DL1426
Safari 5.1.2 has also been released and while no security issues have been reportedly addressed, several performance and memory bugs have been fixed:
http://support.apple.com/kb/DL1070
Sophos for Windows 9.7.6 is our currently deployed version, but 10.0 is now available and will be coming soon after the end of the semester. Advertised improvements in the new version include better web protection and better performance on virtual machines. While the system tray icon is new, the other features and operations are largely the same and should all look familiar. Sophos for Mac remains at version 7.3.6.
Oracle has released Java 6.0 update 30 this week, and while it doesn’t contain any security fixes over update 29, it does address numerous regressions and bugs:
http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html
Have a safe and happy holiday!
Mitch Parks
ITS Desktop Security Analyst
Zack Preston
ITS Desktop Security Assistant
Follow @UIITSecurity and @UIHelpDesk on Twitter for the latest articles and news.
