Adobe and Oracle have pushed out patches for critical flaws found in ubiquitous programs that many consumers use, but may not even know exist.
Adobe's update, released yesterday (Feb. 20), patches a hole found last week that affected Acrobat, Reader and Reader browser plug-ins. The flaw let attackers crash computers and remotely run malware on both Windows and Mac OS X platforms.
The attacks, propagated with spear-phishing emails loaded with malicious PDF files, marked the first successful malware sandbox escape from Adobe Reader.
When it works, sandboxing is an effective way of isolating an application's processes from the rest of a computer's infrastructure in the event that the file the application opens contains unfriendly code.
Before the patch, Adobe had categorized the flaw as highly critical and told customers to run Reader and Acrobat in "Protected View" mode to mitigate their risk. Protected View is read-only and does not allow execution of files until the user gives approval.
Coming on the heels of the announcement of several high-profile Java-based attacks against Twitter, Facebook and Apple — and perhaps dozens of other companies — Oracle's latest patch for Java, released Tuesday (Feb. 19), may be anticlimactic.
The Twitter, Facebook and Apple attacks all took place in January and were the result of Java flaws that were patched by Feb. 1. This week's patches are still rated critical, however, which mean they should be implemented right away.
Apple has a love-hate relationship with Java. The computer maker once insisted on doing its own Java updates, but then got into trouble last year when it didn't update it fast enough and 600,000 Macs were infected as a result.
Then Apple decided to stop including Java in stock installations of Mac OS X, which protected Mac users from Java flaws unless they downloaded it from Oracle.
Apple's latest software update entirely disables its own version of Java from Web browsers, sending all Apple users to Oracle if they want the browser plug-ins.
Unless you're a software developer or you do a lot of Web-based conferencing, there probably aren't a lot of good reasons to keep Java running in your browser. Many security experts recommend turning it off.