10
Aug 10

Critical Updates for Windows, Flash Player

facebooktwittergoogle_plusredditpinterestlinkedinmail

Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.

Microsoft tries to further emphasize which critical patches should be applied first, and it does this largely by assessing which of the flaws appear to be the easiest and most reliable to attack. According to an analysis posted on the Microsoft Security Response Center blog, the most dangerous of the critical flaws patched this month involve media file format and Office bugs.

Specifically, Microsoft pointed out a critical flaw in Microsoft Silverlight and its .NET Framework, as well as bugs in the Microsoft MPEG-Layer 3 and Cinepak codecs. All of these media format vulnerabilities are critical and could be exploited merely by loading a tainted media file, either locally or via a Web browser, Redmond said.

The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.

More details on the rest of this month’s updates are available here. Just a quick note about this patch batch for consumers: It might not hurt to wait a day or two before applying the Microsoft updates. Given the sheer number of vulnerabilities addressed in this release, there is a good chance that one or more of them may turn out to cause problems for some customers. Also, there don’t appear to be any online threats actively exploiting any of these flaws at the moment.

In other news, Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, Chrome or whatever other browser you use. Also, unless you want some “free” software — like McAfee Security Scan or whatever Adobe is bundling with Flash player this month — remember to uncheck that option before you agree to download the software.

Finally, a blog post I published on Sunday incorrectly stated that Adobe would be issuing an update for its PDF Reader software today. Adobe plans to release the Reader update next week.

As always, please drop a note in the comment section below if you experience any issues applying these updates.

Tags: , ,

39 comments

  1. Neither the Adobe DLM or standalone installer worked to upgrade my Google Chrome browser. I believe that Chrome has Flash built-in, so presumably one needs to wait for Google to update the browser.

    • Google Chrome was just updated to version 5.0.375.126, which also updated the built-in Flash to the latest version.

  2. Downloaded/installed all updates with no problem, except that Internet Explorer (slow in the base case) is now essentially unresponsive. Firefox works fine, so no big deal.

  3. If Flashplayer fails to load in Firefox, try disabling the Getplusplus addon. It worked for me on one box running Windows 7-32 bit.

  4. As usual, Adobe’s Flash web site refuses to update my IE8-32, falsely claiming that I am running IE8-64.

    (My operating system is Vista x64 SP2.)

    In the past, I have eventually received Flash updates, when one day, I reboot my computer, and Adobe’s updater suddenly appears.

  5. I’m using Win XP Pro SP3 with Office 2003, install all patch so far so good. No issue here.

  6. A maddening experience. Something is wrong.

    First, I updated Microsoft and then before messing with Adobe Flash, did a Secunia PSI scan of my computer. It gave me a 100% score, all available updates installed.

    What about the Flash update! Does it really need an update?

    Installed on my computer are versions 10.1.53.64 for both Adobe Flash Player 10 and Adobe Flash Player 10 Active X. These are the versions that putatively need to be replaced — but apparently not according to Secunia.

    OK, so I follow Brian’s link to do the Flash updates.

    NOTE: I had uninstall Java at Brian’s suggestion, and the download process at Adobe Flash was calling for, looking for Java to run the download process. I got nothing.

    Adobe would neither download nor install the update. What it did do is install on Firefox add-ons the same version of Flash that has been on my computer, 10.1.53.64

    All of this consumed a lot of my time at a critically important moment when I’m working on a deadline.

    So this question. Do there still exist solid state machine that just do word processing with hardware, no software, other than the file produced? Rich Text Format RTF would be fine. I’d be able to transfer the files to my computer, to Word etc. and save and send the files. using USB ports installed on the solid state word processor.

    Screw computers!

    • Sure they do. Here you go
      http://www.techdepot.com/pro/product.asp?productid=116005 – For a more complete description check out Brother’s web site. http://www.brother-usa.com/typewriters/default.aspx?src=EM630.

      Smith Corona made a pretty good word processor but, oh, that’s right, they went out of business yeeaars ago.

      • Thanks for your efforts and the links, but I’m talking about digital text. Imagine a mini a netbook computer that is a solid state wordprocessor, the text can be viewed and edited on the screen, the only software involved being the saved file. A universally compatible Rich Text Format *rtf would do the trick, saved onto drive devices connected by USB ports. That’s it. That’s what I’ve been looking for and it just isn’t out there. In the end we are slaves to these damn computers. I want to be able to work without one, with the device detailed above. Freedom from these damn computers is what I want.
        David

        • David:

          You’re looking for a straightforward word processor, right? I mainly lurk around here, but I do have a couple of suggestions:

          NEO Dana
          http://www.neo-direct.com/default.aspx
          Not cheap, but it supposedly handles the major Office formats; I’d imagine TXT is included…

          Quick Pad
          http://www.quickpad.com/Showcase.asp
          They have an infrared and a pro model that might work for you…

          Finally, consider getting a ten-year-old computer. That’s right. Something with Windows 95 and Wordpad or even Works. Even if it gets compromised online, just restore from a backup set of disks (if you can find any) and you’re golden.

          Good luck, David!

        • Buy an inexpensive PC and utilize a LiveCD that has an OS (Linux?) and a simple word processing software. Don’t bother with any network connectivity, and you have what you want. You could then load your documents onto your USB drive or a floppy and move them to your PC when you need to, and you’ll still have your original file in case your PC dies or is attacked.

    • OK, I got the Adobe Flash files installed, for both Firefox and I.E. Why couldn’t I do it previously?

      Because I had uninstalled Java. I could not install the Adobe Flash updates until I installed Java. Updating and indeed installing Flash depends on Java.

      Brian needs to revisit his recommendation of uninstalling Java.
      - David

      • While patching is important, if you’re working on a deadline, respectfully, I wouldn’t go looking to install any updates the first day they’re released. It puts you in the wrong mindset to where you just want to get the updates done and move on to get back to your deadline work while potentially causing problems by rushing the patch process.

        Not sure what your setup is, but don’t know why Flash wouldn’t update without Java as the two are NOT in any way related or rely on one another! I’ve been using and updating Flash Player for years without any single installation of Java (clean install of Windows). The only thing I can think of is that some software program installed on your system or some other non standard configuration is the cause.

        Also, I highly recommend bypassing the get Flash Player website and just download the exe installer (see below, neither have any toolbars added to the install, just Flash Player):

        Flash Player (Internet Explorer for Windows only):
        http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

        Flash Player (All other Windows browsers):
        http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

        Lastly, you hit on a pain point with third party updaters such as Secunia PSI. They will be a bit delayed when new patches are released as they play catch up with the actual patch vendor. That’s why although Secunia PSI is a great tool, I recommend going straight to the source first.

        Microsoft Update (for all Windows and Office patches):
        http://update.microsoft.com/microsoftupdate

        Any third party such as Adobe Flash Player as referenced above! :)

        The key is to keep it simple! An immense help is to limit the software installed on a system to only what is really needed. Limits the attach surface and minimizes patching. :)

      • Hi David,
        You do not need Java JRE to install flash, i am on XP SP3 and have fully removed java months ago. If you go to Filehippo download it fron there, avoid Adobe website you will just get a mental migraine and junk you do not need!

    • Hi David,
      I always update flash player from filehippo http://www.filehippo.com/ you will find both versions ie and non ie in browser and plugins box on the left just click view more and forth set down, you just get the player with the setup file and no other junk.

  7. Pie Eating Gorilla

    Please wake me when Microsoft or another company includes the option in their malware scanners to scan PCI/AGP cards, all USB devices, BIOS/CMOS and compare valid firmware on these devices against a known database of valid firmware checksums.

    Google: “PCI Rootkits”
    and rootkits/trojans on network cards for a beginning in your education of real and long lasting malware threats.

    Reps from commercial companies will bury this so you can’t read it, or deny this with a false reason as they sock puppet comment as a real user and bury it.

    The first company to include malware scanning of attached hardware devices, without giving into whitelisting, would stand to make a pretty fortune.

    There are one or more websites which allow you to compare/upload your file(s) and compare them with known and valid checksums, the same should be available for hardware’s firmware. Who wants to step forward and blaze a new trail into the future?

    For those who care about their monitor’s display privacy, Google: “Zero Emissions Pad”. The freeware program is difficult to locate, but you may discover it on a German freeware website. It is a text editor which claims to guard against TEMPEST attacks.

  8. When I tried to sign off on my home computer using Windows 7 yesterday (Tuesday evening), I received a message not to touch or turn off my computer until 13 updates were completed. Things worked ok until update 11, which just sat there for 6 hours. At that point I gave up and turned off the computer. When I booted up to see what damage I might have done, I had to start in the Safe Mode. Things seemed ok, so I powered down and booted up again. It booted ok, but then gave me a warning that some updates didn’t load, and then asked if I wanted to continue the updates. I said yes, and they seemed to load fine, then automatically power down my computer, and then boot up again. Things seem to work ok as I opened several applications, but I have this sinking feeling that all is not what it should be with this type of update push. And, I don’t like the fact that I have no way of knowing what update push my computer hung up on, as my only visual indication was ‘update x of 13″.

    • You can always visit Microsoft Update (link below) to check if your system still needs any further patches (listed under “Critical Updates” section, the others are optional)

      http://update.microsoft.com/microsoftupdate

      Or you can dig deeper in the system Event Viewer and look for errors regarding any “NtServicePack” entry.

      “Click the Start button . In the Search box, type Event Viewer, and then, in the list of results, double-click Event Viewer.”

      Or if you’re in the U.S. you can call Microsoft for free patch related support at 1-866-PCSAFETY.

      • Furthermore, Microsoft Update includes a “Review your update history” link that tells you what updates were installed successfully and what updates failed. It may not record a “failure” when you do a hard power off, but you can at least see on what date and in what order the updates installed.

      • Thanks. I appreciate the information.

    • Windows 7 downloaded and installed all 14 patches successfully in less than 10 minutes on my new computer, and did not automatically shut down at any time during the process.

      I don’t have it set for automatic updates, but instead to notify me when updates are available, because I like to choose the time to do tasks. The icon appeared in my notification tray this morning. I clicked on it, and then on the screen to download updates. All 14 were done in about five minutes. After restart, the icon remained in the tray; when I clicked on it, it showed a screen, “Review your update history,” that listed all new updates and whether they were successful.

      You can also review your update history in Windows 7 by going to Control Panel – Windows Update, and clicking on the link to View Update History, which will give you the complete update history, not just the most recent. It will list updates as failed and then later as successful when retried, so you can see what the problem hung-up download is or was.

    • Over the years I have learned never to get MS updates via the shield that appears in the system tray. When the shield appears I go to Brian’s fine site and to the Sans people and read the comments concerning the updates. If it looks good I then go to the MS update site via my control panel.

      • Bart:
        Good advice to check comments before downloading anything.

        But, once you’ve checked and downloads seem to be okay, clicking on the shield opens the download page of the control panel in Windows 7 .

  9. Agreed on waiting. On a month-old Win7 Home box, it failed applying one of the updates and now I get a BSOD 45 sec after boot unless I’m in safe mode. Time to beg for an OS DVD from Gateway.

  10. Look very carefully when you’re first booting up to see if there is a System Recovery option you can run by pressing one of the F1 thru F12 keys. Nowadays there’s often a hidden partition on the hard drives that that performs the rescue function And when you are up and running, burn yourself a set of rescue disks.

  11. Personally, I always run Belarc Advisor (available free for personal use) to verify whether all Microsoft patches and upgrades have been installed. It has been very reliable with regard to failed installations. Advisor also displays a very large amount of data about the computer on which it is running. It has multiple useful features in that respect.

  12. Had no trouble updating Opera, Firefox, etc. Very swift and painless. When it came to IE, however, going through Adobe’s installation process was terrible. Locked itself up completely, doing nothing for 5 minutes. Found the above link to the installation file, and had no problems. Just as easy as the other browsers’ updates. All I had left to do was uninstall the Adobe download manager.

    I can’t stand these guys.

  13. Our Power Users (as opposed to Restricted User) are accustomed to being prompted to upgrade Adobe Flash Player and JRE. They usually accept the upgrade prompt even though they have been instructed not to do so. The Flash Player and JRE upgrades generally go through without a hitch.

    That is, until the last version of Flash Player, 10.1.53.64. Users would accept the upgrade prompts, the upgrade process would start and then stop due to user rights restrictions. Unfortunately, Flash Player failed to roll back to 10.0.45.2 which therefore disabled Flash Player

    I used to adamantly prevent applications from calling home to optimize the user’s available bandwidth. I finally gave up on disabling these update features because the next version re-enabled it. Plus these applications are ‘trusted’. I am now back on the disable automatic updates path.

    To disable Flash Player from checking for updates automatically:
    1. Bring up a site with Flash content
    2. Right-click on the Flash content and select “Global Settings…”
    3. Click on the “Global Notifications Settings” link
    4. Uncheck the “Notify me when an update to Adobe Flash Player is available” option

    Now my reason for ranting on like this, have others come across this new Adobe Flash Player update behavior? It’s such a pain disabling this automatic update feature on hundreds of PCs/laptops. Our manual method of upgrading is an entirely different story. :(

    • There is a way – using an mms.cfg file in System32\Macromed\Flash – to permanently turn off auto updates. It is all described in this Adobe article: http://kb2.adobe.com/cps/167/16701594.html

      This overrides the user setting, which might be more draconian than you desire. I use it, and have done a couple of Flash updates where the mms.cfg file has not been touched by the update, and the auto-updates have remained turned off after updating.

      HTH

  14. As previously noted, with Vista SP2 x64, Adobe’s web site refused to Flash update IE8-32, falsely claiming that it was IE8-64.

    While updating Flash in Firefox, I found a link that resolves this problem.

    With IE8, if I go *directly* to

    http://get.adobe.com/flashplayer/otherversions

    it allowed me to update Flash on IE8.

    On Adobe’s web site, for me, that link was only visable with Firefox, not IE8.

    (The standard IE8 response of Adobe’s web site is to falsely claim that I am running a 64-bit browser. End of story – no “otherversions” available.)

  15. After apply the Microsoft patches, I get:

    C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\TEMP\ZAP1287.TMP\SYSTEM.RUNTIME.REMOTING.DLL in a lot of subdirectories per my AV real-time scanner’s log. CPU use is flat-out 100% on my Lenovo Vista laptop.

    Anyone have any idea as to what’s going on? I held off on installing the patches for a couple of days to make sure they got the bugs out.

    Regards,

  16. I just (16 Aug) allowed the Flash update and lost use of my Logitech PS-2 keyboard. However a USB keyboard did work.
    Running system restore cured the problem.

  17. Your the best… I missed you on the Washington Post …. Please keep up the good work…. Glad I found your blog

  18. Do not need Java JRE to install flash on XP SP3! If you go to http://www.filedoggy.com download it fron there, avoid Adobe website you will just get a mental migraine and junk you do not need!