December Critical UpdatesDecember seems to be the month for patching. Microsoft’s regular round of “Patch Tuesday” releases included a number of critical updates amongst the eleven released; we reported just recently on Mozilla Firefox 26 and its round of fourteen updates including several rated critical, and not to be left out, Adobe has dropped several patches to address critical updates in its Flash, Air and Shockwave products. There is at least one exploit already in the wild.

Flash and Air

According to the Adobe Security Bulletin APSB13-28, the vulnerability affects Windows, Linux and Macintosh users of Adobe Flash and Air. This also impacts Android users, so we have a vulnerability that can hit all three major desktop platforms, plus one of the major mobile device platforms. The severity ratings for Adobe Flash on Windows and Macintosh are both 1s, and for Linux users and Air, 3s.

As a reminder, Adobe’s severity 1 rating means

Priority 1 This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).

Adobe recommends that all users update their affected software. Windows, Mac, and Linux users can download the latest version of the Flash player and Adobe Air online. The embedded Flash Player in IE 10 and 11 and Google Chrome will updated as a part of updating to the latest versions of the affected browsers.

Our advice is to update all devices immediately. This vulnerability is severe, and Adobe indicates in its bulletin that there is an exploit already in the wild targeting this vulnerability. Home users should be encouraged to update, while business users should deploy the update to all machines using their patch management system as soon as they can test and get change control approval to proceed. This is not something to leave for next month.

Here’s the official list of affected software and downloads from the Adobe bulletin.

Affected Software Recommended Player Update Availability
Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh 11.9.900.170 Flash Player Download Center
Flash Player 11.9.900.152 and earlier versions (network distribution) 11.9.900.170 Flash Player Licensing
Flash Player 11.2.202.327 and earlier for Linux 11.2.202.332 Flash Player Download Center
Flash Player 11.9.900.152 and earlier for Chrome (Windows, Macintosh and Linux) 11.9.900.170 Google Chrome Releases
Flash Player 11.9.900.152 and earlier in Internet Explorer 10 for Windows 8.0 11.9.900.170 Microsoft Security Advisory
Flash Player 11.9.900.152 and earlier in Internet Explorer 11 for Windows 8.1 11.9.900.170 Microsoft Security Advisory
AIR 3.9.0.1210 and earlier for Windows and Macintosh 3.9.0.1380 AIR Download Center
AIR 3.9.0.1210 SDK 3.9.0.1380 AIR SDK Download
AIR 3.9.0.1210 SDK & Compiler 3.9.0.1380 AIR SDK Download
AIR 3.9.0.1210 and earlier for Android 3.9.0.1380 Google Play

More detail about the vulnerabilities will be available in CVE-2013-5331 and CVE-2013-5332, however at the time of this writing, only placeholders are online.

Shockwave

According to the Adobe Security Bulletin APSB13-29, the vulnerability affects both Windows and Linux versions of the Shockwave player. The priority rating is 1 for both Windows and Mac.

As a reminder, Adobe’s severity 1 rating means

Priority 1 This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).

Users are advised by Adobe to update to the latest version of the Shockwave Player, 12.0.7.148, as soon as possible.

Our advice is to do this today. This vulnerability, if successfully exploited, will enable an attacker to have a target machine execute malicious code.

More detail about the vulnerabilities will be available in CVE-2013-5333 and CVE-2013-5334, however at the time of this writing, only placeholders are online.

With all the patches hitting at the end of the year like this, next week promises to be a very busy one for IT teams looking to complete all patching in time to attend the company party, and to enjoy the holiday week. If you have a patch management system, take full advantage of that to get these patches deployed. If you don’t, move that to the top of your Christmas list, because next year is going to be just as active.