It’s what I like to call “Worry Wednesday”, the day after Patch Tuesday, when system administrators around the world furrow their brows in concern that malicious hackers will dissect the latest security patches issued by Microsoft and develop attacks which exploit the flaws.
It’s obviously good news whenever the likes of Microsoft and Adobe release fixes for security holes, and make them available for home users and businesses to install.
But it’s a double-edged sword. Obviously it’s good to have an official software patch to fix a flaw, but the patches themselves can provide clues to reverse-engineering hackers as to how they could exploit the vulnerability.
So, most of the time, it’s a good idea to install the patches at the earliest oppportunity. Indeed, if you’re a home user it can make the best sense to automatically install security patches rather than force yourself to go through the rigmarole of remembering to download and roll out the updates yourself whenever they become available.
If you’re a big business, it’s not unusual to test that the patches don’t cause any unintended conflicts before you roll it out across hundreds of thousands of computers on your network.
Yesterday, it was the second Tuesday of the month. In Microsoft language that means it was “Patch Tuesday”, their regular time for issuing security updates, and sure enough they released security fixes for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.
Amongst the flaws they fixed was a zero-day flaw that has allowed hackers to launch targeted attacks involving boobytrapped Word documents, and broader financially-motivated campaigns using boobytrapped TIFF image files.
Microsoft had said it had seen malicious Word documents (with dangerous TIFF files embedded inside) sent to targeted companies based in the Middle East and South Asia.
But now there’s a proper fix, so you should install it before you end up in hackers’ gunsights.
Unfortunately, there *wasn’t* a fix released for the critical zero-day XP kernel attack that has been putting users of older versions of Windows at risk since the end of November.
But it wasn’t just Microsoft that released security patches yesterday.
Adobe, a company that has often been on the receiving-end of hacker attacks, issued security fixes for its Adobe AIR product and Flash and Shockwave players.
The Flash issue seems the most serious, as Adobe says it is aware of reports that an exploit designed to trick users into opening Microsoft Word documents containing malicious Flash content exists for one of the vulnerabilities.
Make your resolution for 2014 to be to get in the habit of taking security updates seriously. If companies like Microsoft and Adobe are prepared to go to the effort to investigate, fix and then publicise security holes in their software – you really should be listening to them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Don’t delay! Grab the latest Microsoft and Adobe security patches NOW”
> If companies like Microsoft and Adobe are prepared to go to the effort to investigate, fix and then publicise security holes
Interesting view. These security holes are defects in their software so a fix for them is expected, and I don't think they would publicize any if they had the power. You make it sound like they are making these voluntarily. for the love of their customers…
> Unfortunately, there *wasn’t* a fix released for the critical zero-day XP kernel attack
MS is not able to produce software at XP quality and sophistication for a long time, I suspect they lack talent that is able to fix something in XP.
If this round is a worry just wait till 14th May 2014 – the first patches after XP support ends. The music will have stopped and XP users won't have a chair.
XP users will probably jump to W7 for a while. But after that I think MS doesn't have a chair, because XP (and current reluctant W7 users) won't be choosing inferior MS software anymore. MS has to provide something at least barely usable (aka not-current-W8) to all those users or simply put most of them will not be using an MS OS anymore. W8 is not an acceptable alternative.