The big day is here and it's time to decide: Patch Flash, Windows, Office or Android first?
Plus: 'Dirty COW' remains unfixed in Google OS
Adobe and Google
Not to be outdone, Adobe has posted fixes for nine CVE-listed flaws in Flash Player for Windows, macOS and Linux. The vulnerabilities could be used by an attacker for remote code execution by way of malformed Flash media files.
For those running Google Chrome, Microsoft Edge, and Internet Explorer version 11 and later, the Flash patches will be automatically downloaded and installed. Users and administrators managing other browsers are advised to patch Flash Player as soon as possible, though killing it is also an option.
Adobe has also released an update to address a flaw in its Connect conferencing application. That bug, only present on Windows, could allow an attacker to perform a cross-site scripting attack. Connect for Windows users should update to version 9.5.7.
Google, meanwhile, has released a security update for 82 CVE-listed vulnerabilities in Android. The Google update, designated 2016-11-05, will be released for all Google devices and is recommended for other Android devices as the "complete" security patch level (vendors also have the option of pushing out a partial patch with only the most serious bug fixes).
Among the flaws addressed in the November Android update are elevation of privilege vulnerabilities in the Nvidia GPU driver firmware, and remote code execution vulnerabilities in the Qualcomm crypto driver, Media Server, libjpeg, the Android runtime, Webview and Freetype.
A specially crafted media file can exploit an elevation-of-privilege bug to hijack a vulnerable Android device via Media Server, libjpeg and friends; the Qualcomm crypto driver can be exploited to run code in the kernel. Essentially, patch as soon as you can before hackers find ways to exploit these programming flaws.
Not fixed was CVE-2016-5195, popularly known as "Dirty COW." That bug, allowing installed applications to swipe "root" privilege and hijack the device, is slated to be patched in next month's scheduled update. ®