Patch Tuesday is always a little more interesting when Adobe’s quarterly updates sync up with Microsoft’s monthly updates. Today’s particular updates also seem to bring some promising changes that will improve patching in the future.
Microsoft
Microsoft’s Security Bulletin details the six security bulletins released for this month. Four of them are critical severity and fix remote code execution vulnerabilities across multiple products.
Adobe
Adobe is where things get interesting this month. Adobe Reader and Acrobat 10.1.2 updates to 10.1.3 and 9.5 to 9.5.1. Today’s updates resolve vulnerabilities that could allow remote code execution. The patches for those who cannot update from Adobe 9 yet are rated as more urgent to update than the updates to Adobe X.
Along with the normal software updates Adobe is making eSignatures available to Adobe Reader X users starting with version 10.1.3 and for Adobe Reader mobile users as well. Resulting from Adobe’s purchase of EchoSign, the eSignature service provides contract status and visibility into the signature process. Mobile users will be able to use the eSignature to sign a document by hand-drawing their signature on a touch device and send documents to others to be signed. Adobe Reader for iOS and Android devices also include new features like annotating, commenting, and filling out forms to be sent on to a recipient.
Some of the more interesting details with this update come from the Background on Security Bulletin APSB12-08 blog post.
With Adobe Reader or Acrobat 9.5.1, the software will now look to the Flash Player installed on the system instead of using the Authplay.dll plugin that has been every system administrator’s nightmare since Adobe decided to allow Flash content to be included in PDF files. The same method is in development for Adobe Reader and Acrobat X. This will translate into fewer updates in the future. Previous vulnerabilities found in Adobe Flash Player also had to be patched in Adobe Reader/Acrobat. Once this method is in place, only the system’s Flash Player will have to be updated in order for the system to be up to date.
Adobe Reader/Acrobat 9.5.1 also disables rendering 3D content by default.
In other news, Adobe has reviewed their quarterly release cycle and has decided to make some changes. Adobe is going to shift from a quarterly release cycle to an as-needed cycle. Emergency out-of-cycle patches will still come out as needed and they will still publish security updates on the second Tuesday of the month (Patch Tuesday). If I understand it correctly, it means that patches may come more frequently (monthly) or less frequently, as the security landscape dictates.
The updates can be acquired through the product’s update tools or from the Adobe website or FTP site.