Bugs and Fixes: Flaws Plague Microsoft and Adobe Again
By James Mulroy
Bugs surfacing in recent weeks include Windows vulnerabilities that could allow bad guys to enter your computer, as well as flaws in Adobe Shockwave Player and Photoshop that could permit attackers to run malicious code and possibly commandeer your system.
The Patch Tuesday fix that Microsoft released on May 11 includes two critical updates. The first addresses a vulnerability in Outlook Express and Windows Mail that could allow remote execution (that is, attackers could do whatever they want with your PC) if you visit a malicious e-mail server. This update is rated critical for Outlook Express on all supported editions of Windows 2000, XP, and Server 2003, and for Windows Mail on all supported editions of Windows Vista and Server 2008. See Microsoft’s security bulletin for the full details.
The second update corrects a flaw in Visual Basic for Applications that “could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime.” If you logged in as an administrator on your PC, attackers could potentially take control of your system, install programs, and view, change, or delete data. Microsoft says this critical update applies to all supported versions of Visual Basic for Applications and to any program that uses it. The update is also important for all supported editions of Microsoft Office XP, 2003, and 2007.
Microsoft recommends that users acquire both of these updates. If you do not have automatic updating turned on, the company suggests downloading these critical updates manually. You can do so by going to Control Panel, selecting the Windows Update icon, and then clicking Check for Updates. You can learn more about the flaws–and download patches manually–at Microsoft’s security site.
Adobe Corrects Remote-Execution Vulnerabilities
Adobe has released a critical update for Shockwave Player 22.214.171.1246 and earlier versions on Windows and Mac OS X. The update fixes a multitude of problems, all related to remote execution. Adobe recommends updating to the latest version of Shockwave Player, 126.96.36.1999 (though it’s possible that another update will be released by the time you read this). Download the latest at the Adobe Shockwave site.
Adobe also issued an update for Photoshop CS4 to patch holes that could allow an attacker to control your PC. This problem affects both Windows and Mac users. The company says that “a malicious .ASL, .ABR, or .GRD file must be opened in Photoshop CS4 by the user for an attacker to be able to exploit these vulnerabilities.”
The affected versions are Photoshop CS4 11.0.1 and earlier for both Windows and Mac. Adobe recommends that customers update to Photoshop CS4 11.0.2 (downloadable files are available for Windows PCs and for Mac systems) to resolve these issues. The vulnerability does not apply to users of version CS5.