Adobe patches critical flaws in Flash, Reader, and Acrobat
Today is the second Tuesday of January—which makes it the first Patch Tuesday of 2013. Adobe is addressing a few critical vulnerabilities in its software as well this Patch Tuesday.
Adobe issued two Security Bulletins. The first, APSB13-01, is for Adobe Flash. The bulletin states that versions of Adobe Flash Player for Windows, Mac OS X, Linux, and Android are all impacted by a vulnerability that could cause a system crash, or allow an attacker to execute malicious code remotely.
APSB13-02deals with flaws in Adobe Acrobat and Adobe Reader. According to the bulletin, Adobe Acrobat and Reader 11.0.0 and earlier versions on Windows and Mac OS X, and Adobe Reader 9.x versions for Linux are at risk. Like the Flash security bulletin, this one states that the vulnerabilities could lead to a system crash or allow an attacker to take control of the affected system.
Andrew Storms, director of security operations for nCircle, has a bone to pick with Adobe about the patch for Flash. “Why can't Adobe do the world a favor and provide advance notification for Flash updates? Now that they’re coordinating with Microsoft to release Flash updates for IE 10 on patch Tuesday, how hard can it be to let the rest of us know a patch is coming?”
Storms also takes issue with the scarcity of information in the Adobe bulletins. The lack of details about the flaw itself, or any mitigations or workarounds that can be used in lieu of the patch make it difficult for IT admins to make intelligent decisions about prioritizing the patch implementation. Storms says, “Adobe’s security bulletins can be summed up as ‘patch or be exploited’.”
Wolfgang Kandek, CTO of Qualys, discusses the Adobe updates in a blog post. Kandek points out that Microsoft has also updated a security advisory (KB2755801) for Internet Explorer 10, because Adobe Flash player is embedded and it includes a new Adobe Flash build.
Kandek , also says IT admins should be aware of advisory APSA13-01, which deals with three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.