With critical updates from Adobe, Foxit, and Mozilla joining a bevy of essential patches for Internet Explorer and Office, the fixes are running hot this summer.
After an ebb of only one patch in Microsoft’s previous regular cycle, the flow resumed in force as Microsoft plugged 31 vulnerabilities. The most important update fixes flaws that could allow an attacker to take over your PC or steal data if you view a poisoned Web page. Collectively, the patches are critical for IE 5 on Windows 2000, IE 6 on Windows XP, and IE 7 on Windows XP and Vista. It’s bad news for IE 8 as well, on both XP and Vista. IE 8 on the latest Windows 7 release candidate isn’t affected. Run Windows Update to pick up the patch.
Office Fixes
Two other patches close holes that could allow tainted Word or Excel files to trigger an attack. Office 2000 is most vulnerable, as the hole could permit an attacker to run any command. The flaws are rated important for Office XP, 2003, and 2007, as well as for Office for Mac (2004 and 2008). Run Windows Update to get the fix.
A similar fix for Microsoft Works files and converters is critical for Office 2000, important for Office XP, 2003, and 2007, and important for Microsoft Works 8.5 and 9.
Windows 2000 users should nab a critical patch for three bugs in Windows Print Spooler that Internet attackers could hit if the PC isn’t protected by a firewall. A successful attack could take over a Windows 2000 PC, but the threat is a bit less dangerous (rated moderate or important) for other versions of Windows.
A number of other Microsoft patches correct less-important holes; none of them would allow attackers to have their way with your PC. That said, make sure you have them all by running Windows Update.
Shockwave, Reader Updates
Adobe shored up its Shockwave Player with a must-have fix. Without it, if you have Shockwave 11.5.0.596 or earlier, visiting a site with a rigged Adobe Director file could allow a “remote code execution” that puts an attacker in command of your PC. Adobe recommends manually uninstalling the older version and installing the latest Shockwave Player. That isn’t exactly convenient, but it beats the heck out of a malware infection.
You’ll have a somewhat easier time snagging updates for Adobe’s beleaguered Reader and Acrobat. The critical Reader and Acrobat update, to 9.1.2 (or to 8.1.6 or 7.1.3 for older versions), closes holes that could permit a takeover if you open a poisoned PDF file. Click Help, Check for updates to make sure you have the latest version, which is available for Windows, Macintosh, and Unix.
Foxy Upgrades
Users of the Foxit Reader PDF app don’t get a free pass, either. To avoid triggering an attack when opening a malicious file, it needs fixes for the 3.0 base program and the JPEG2000/JBIG2 Decoder add-on (if present). Click Help, About Foxit Reader; if you don’t have at least version 3.0 build 1817, download the latest Foxit version. Run Help, Check for updates to see if you have the latest JBIG2 add-on. (The update check unfortunately doesn’t update older Foxit base software, but it will nab add-on updates.)
Finally, Mozilla released Firefox 3.5 at the end of June. If you haven’t installed that browser yet, at least get the latest version 3.0 update. The fix addresses four critical bugs in JavaScript handling. Of those, two also affect the Thunderbird e-mail app and three affect the SeaMonkey suite; click Help, Check for Updates to see if you have at least Firefox 3.0.11, Thunderbird 2.0.0.22, or SeaMonkey 1.1.17.