Virus.Org

Not only did Microsoft release a slew of updates this patch Tuesday but Adobe and Oracle followed suit with updates. Both Adobe and Oracle release updates for their products on a bumper Patch Tuesday. Adobe quash a number of Remote Code Execution flaws in Flash, Reader/Acrobat and Shockwave. Oracle release updates for Java 7 and announce official support for Java on OS X.

AdobeAdobe published three bulletins covering Reader and Acrobat (APSB12-16), Shockwave (APSB12-17), and Flash (APSB23-18). There aren’t many specifics in APSB12-16, however there is enough information to set some alarm bells as to making sure your rolling out the update for Reader and Acrobat.

APSB12-16 has some twenty CVEs (Common Vulnerabilities and Exposures database entries) have been patched by Adobe. The vulnerabilities include memory corruption bugs such as heap and stack overflows, these can lead to simple crashes however they may even be adapted to result in code execution. So there is a fairly good chance once the exploits get developed we’ll start to see them in the wild, in malware and other sorts of exploit packs. The patched products are versions 9 and X of Adobe Reader and Acrobat.

So far the Adobe X products haven’t seen any malware or exploits that have been able to bypass any of sandboxing and security controls that Adobe having included in the latest line in the Reader and Acrobat products. These issues have been rated as Critical so it is a good sign that the patches need to be rolled out.

Both the Shockwave and Flash updates are rated Critical as they both include Remote Code Execution flaws.

Oracle on the other hand shipped an update for Java yesterday, the latest Java version from Oracle is 7u6, also known as 1.7.0_6. This update doesn’t specifically state specific vulnerabilities have been released however there are some of long list of issues fixed that smell a little like patched vulnerabilities.

JavaHowever the big news on the back of this update, Oracle now officially support Java on OS X. Which basically means you can grab Java straight from Oracle and have the latest updates for Java as Oracle release them without waiting for Apple to push them out via their Software Update service, with the issues this introduced such as the problems with the Flashplayer malware that exploited the window between the Oracle and Apple updates to infect some 600,000 OS X machines with malware exploiting a Java vulnerability. It does mean if you replace the Apple provided Java with the Oracle provided one you’ll loose the integrated updates via Software Update and you’ll need to use Oracle’s updater.