Who gets a patch???

May 2009

Adobe gets a patch:

Adobe to patch critical Adobe Reader, Acrobat vulnerabilities. Adobe is issuing patches on May 12 for critical Adobe Reader vulnerabilities that could allow remote attackers to launch malicious code on users’ computers through infected PDF files. The impending update will repair critical Adobe Reader and Acrobat Reader errors in versions 9.1 and prior for Windows, Mac and Unix systems. The patch also will cover Adobe Reader 9.1 and 8.1.4 for Linux. If exploited, the flaw could allow attackers to launch denial of service attacks, crash a system or distribute malware that could take control of a user’s computer and steal information. Reports indicate that the vulnerability stems from an error in the “getAnnots” java_script function, according to the U.S. Computer Emergency Readiness Team. In an effort to mitigate the risk, the federal agency recommended that users disable java_script in Adobe Reader. To disable java_script, users are advised to select the java_script category under the “Edit:Preferences” tab and uncheck the “Enable Acrobat java_script” option. The San Jose, California-based company issued a security advisory in April warning users that the critical flaw affected Adobe Reader 9.1 and all previous versions of Adobe Reader and Acrobat Reader. So far, security experts say that there are no known “in the wild” attacks exploiting the vulnerability, but that likely will change as hackers get a hold of the exploit code and take advantage of users who have failed to update their systems.

Microsoft gets a patch:

Microsoft delivers mega PowerPoint patch. As expected, Microsoft on May 12 patched a six week-old critical vulnerability in PowerPoint, the presentation maker that is part of the popular Office suite, using a single security update. But that one update patched 14 separate vulnerabilities, 11 of which were rated “critical,” Microsoft highest threat ranking. Also, while Microsoft patched all still-supported Windows editions of Office, including Office 2000, Office XP, Office 2003 and Office 2007, it was not able to complete fixes for the three vulnerabilities that also affect Office 2004 and Office 2008 on Macs. Fixes for those editions were not ready, the company said. This is the first time that Microsoft has issued patches, but not plugged holes in every affected version, a fact the company itself acknowledged. “We normally do not update one supported platform before another, but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages,” said an engineer with the Microsoft Security Response Center, in a post to a company blog. “None of the [PowerPoint] exploit samples we have analyzed will reliably exploit the Mac version, so we did not want to hold the Windows security update while we wait for Mac packages,” added the engineer. http://www.reuters.com