Shockwave 11.5.8.612, Multiple Patches

There’s a new version of Shockwave from Adobe. It’s now at version 11.5.8.612, updated to block multiple problems that allowed third-party code to run without the appropriate permissions.

Update at http://get.adobe.com/shockwave/

More information at Homeland Security:
http://www.us-cert.gov/current/index.html#adobe_releases_security_bulletin_for8

Adobe Reader moves to 9.3.4, Off-schedule patch

Adobe Reader has a new patch, moving it to a current release of 9.4.4. This is not on their announced schedule of matching the Microsoft second-Tuesday patch release calendar. This patch requires a system reboot.

According to the Adobe release notes:

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2010-2862).

These updates further mitigate a social engineering attack that could lead to code execution (CVE-2010-1240).

These updates incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.

Translation into non-technobabble: Without the patch, bad guys can run their programs on your computer, including malware installers.

In my opinion, all users should also turn off two features in Adobe Reader to reduce the possibility of third-party code running unapproved. In the Tools, Preferences menu, go to Javascript. Uncheck the top box. And in Trust Manager, uncheck the top box. The first option runs scripts, and the second runs embedded documents, including possible macro code. No one uses these features except malware writers.