Patch Tuesday growing in scope: Microsoft + Adobe + Google

The apparent motivation for Adobe to synchronize with Microsoft is the inclusion of Flash within Internet Explorer. Without that synchronization there is a potential lag between the two updates, a period in which malware actors could seek to exploit Internet Explorer via Flash.

But Google also includes Flash within the Chrome browser, and has since spring 2010. Chrome updates itself silently and automatically – but in order to avoid a similar time lag and period of vulnerability it has to synchronize Chrome updates with Flash updates which are synchronized with Microsoft Patch Tuesday. This Tuesday, then, users have been faced with the major Patch Tuesday Microsoft updates, including one to Internet Explorer; Adobe’s synchronized updates; and an update to Google’s Chrome because of Adobe’s Flash update (although Google will continue to update Chrome as and when necessary for non-Flash updates).

Microsoft’s December patches are discussed here. Adobe issued two updates on Tuesday; ColdFusion and Flash – but immediately followed with a third for Photoshop Camera Raw on Wednesday.

The ColdFusion update addresses a vulnerability that could result in a violation of sandbox permissions. Adobe is not aware of any exploits in the wild, and does not immediately expect any.

The Flash update resolves a buffer overflow issue that could be exploited to cause a crash and potentially allow an attacker to take control of the affected system. Adobe recommends that Windows users update as soon as possible, Mac users do so as soon as convenient, and others do so soon. Adobe is not aware of any exploits or attacks in the wild for any of the issues addressed in this update, and the update advice seems to be based primarily on the historical target value of the different platforms.

Chrome users don’t need to worry about the update since it happens automatically. Internet Explorer users will have been updated via Microsoft’s own Tuesday updates.

The Photoshop Camera Raw update addresses both buffer overflow and buffer underflow issues that could lead to malicious code execution. Photoshop Camera Raw is not a traditional target for attackers, and Adobe is not aware of any exploits, nor expects any imminently.

The first of Infosecurity's Patch webinar series launches today at 3pm. Register to join us using this link. 

What’s Hot on Infosecurity Magazine?