On Tuesday, I got an email with this message from Qualys CTO Wolfgang Kandek’s blog post:
“Today Adobe released the APSB12-19 bulletin for Adobe Flash and Adobe AIR. It addresses six flaws in the Adobe Flash Player for Windows, Mac OS X and Linux operating systems. Five of the flaws are categorized as critical and can lead to remote code execution on the attacked machine.”
And I thought, hold on a second. Didn’t Adobe just have a “Patch Tuesday” the week before? The new Adobe patch jumped out at me because it coincided with Microsoft’s Patch Tuesday, which doesn’t usually happen. Sure enough, Kandek’s post confirmed that I wasn’t imagining things, even stating that IT administrators would likely be surprised to see Adobe updates in consecutive weeks. (I know I was, and I’m not even an IT administrator.) Adobe isn’t especially known for its frequent patches, although they do seem a little more frequent than they used to be.
So what’s going on? Simply, it appears that the original update didn’t fix everything.
The first patch was to address vulnerable machines where Flash was particularly targeted. The focus was Flash on Internet Explorer, according to Kaspersky’s Threat Post. Reader and Acrobat were also fixed in that patch. However, as described by ZDNet:
“But this patch is no longer effective against yet another set of vulnerabilities that affect all versions of Flash Player, including Android 4.x, 3.x and 2.x. Like the previous vulnerability, these could allow attackers to crash and take control of the targeted computer or device and has earned Adobe's highest severity rating of critical, leading Adobe to release a new patch only a week after the last.”
Why not fix everything at once? Kandek speculated that the initial patch was an emergency patch to fix a problem out in the wild. This may be the case. It’s not always easy to figure out Adobe’s line of thinking when it comes to patches. One of the patches could have been an emergency patch. Or maybe the vulnerabilities were bigger than anticipated and the second patch was to fix what didn’t work the first time around.
In any case, the two patches so close together were unusual and would signal something serious. Adobe updates are the type where it is really easy to click the “install later” button. It might be a good idea to make sure the company computers are installed with both updates – installing later could cause big problems.