February 12, 2013

Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.

winiconFive of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.

Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.

Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.

And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17  distinct vulnerabilities; unlike last week’s emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

adobe11-6-602

Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.167, which Google pushed out today. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As Adobe does every time it releases a Flash Update, it has released a fix for Adobe AIR. If you have that software installed, it can updated from this link.

Finally, as the graphic above indicates, a fix for Adobe’s Shockwave Player is available that fixes at least two flaws. The latest version of Shockwave is 12.0.0.112, available here.  You can find the new version and an accounting of whether you have this program installed and its current version from this page. If you have this program installed update it; if that page offers a download, you don’t have Shockwave installed and probably don’t need it.


25 thoughts on “Fat Patch Tuesday

    1. BrianKrebs Post author

      Sigh. Using my name for malware and exploits and other dirty deeds online is becoming something of a meme in the criminal Underweb. This has been going on for a long time, but recently it’s gotten worse. I still take it as a compliment, but it gets annoying when so-called researchers actually ask if I had anything to do with these things.

      1. Vee

        For that matter, I don’t know if people in the comments here should be using usernames they use on other sites. Harassing a “fanbase” isn’t exactly uncommon online.

        A thought of “look at those krebtards, let’s screw with them” and a google search is all it really takes.

  1. Wayne

    What, exactly, does Adobe AIR do? Somehow, Adobe installed it on my PC 2 or 3 years ago.

      1. Wayne

        A nearly 5 year old article; AIR might as well be as useful as Java nowadays.

        Thank you, anyway.

  2. Alex Blackwell

    Although the Chrome update has been announced, I don’t think Google has pushed it out yet.

  3. A

    Flash isn’t necessarily installed in IE. I don’t have it for anything but Firefox and thus only have to update once. If you rarely use IE, consider getting rid of its Flash.

  4. Sandy

    Regarding the recent MS Update “Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for x64-based Systems (KB2758694)”, I have tried to install it many, many times and it fails each time. I have tried Microsoft’s suggestions, but still cannot get it to install. Do you have a way to get it to install?

    1. Uzzi

      Version 2758694 was published 1/7/2013?…
      …while there is malware out there blocking updates consider to install windows anew or ask someone experienced to help. (You could ask http://support.microsoft.com/ for support, too…)

    2. JimboC

      Hi Sandy,

      Uzzi is right. You should contact Microsoft Technical Support about this issue.

      Please note that since you are experiencing issues with the security update that you mention, you should not be charged for technical support. Microsoft provides free support for issues caused by security updates.

      Please quote the knowledge base article number of the update that is causing the installation, namely kb2758694.

      You can contact Microsoft Support from the following link:

      http://support.microsoft.com/select/?target=assistance

      I hope this information is of assistance to you. Thank you.

  5. Debbie Kearns

    Brian, I secretly love you. And since Valentine’s Day is coming up….maybe we could go naked horseback riding? I have cowboy hats and everything.

    1. BrianKrebs Post author

      Yes but do you also have horses? Or chaps for that matter? Riding a horse…errr…bareback would chap big time.

      1. Debbie Kearns

        Wait a sec! I never posted that! Someone has been hacking into my profile and using my name to say naughty language and porn on you, which I did not! 🙁 Does anyone know why?

  6. Vee

    Thanks again for saving my sanity of not having to hunt down every single plugin to see what has updated every Tuesday. I used to use Wikipedia pages to see what stuff was updated (well I still do for some stuff) and usually I’ve found someone has kept up with the latest version number.

    So say you have, oh I dunno, let’s say 7-Zip. So you just go wikipedia.org/wiki/7-Zip and on the side there’s “Stable release”. Then just compare it to what version you’re running. Not the best way to do it, but I like it more than program update scanners which I find usually miss stuff.

    Probably the sure fire way is to go to every developers’ website and get it straight from the horse’s mouth, but a lot of times the version numbers are buried.

    1. NetD

      Have you tried Secunia PSI? It automates a large portion of application updating for you.

    2. Old School

      “Not the best way to do it, but I like it more than program update scanners which I find usually miss stuff. ” “Not the best way” is correct. “Probably the sure fire way is to go to every developers’ website and get it straight from the horse’s mouth, but a lot of times the version numbers are buried.” Also correct but with a little practice you will become accustomed to each vendor’s format. Always use primary, vendor sources. For example Adobe has an “about” page for the Flash Player: http://www.adobe.com/software/flash/about/. Since there will be one URL for each program product you own, you will need a folder to store the URLs. Go to the Bookmark Toolbar and add a folder to hold the URLs. Call the folder “Version Info”. Now you have a system that is both precise and free. Next, you will have to run your system once a day or at an interval that is logical . If you wish, you can “upgrade” your folder system to include URLs that have the download links. For example, Adobe’s Flash Player download page is http://www.adobe.com/products/flashplayer/distribution3.html . There is no charge for the upgrade!!!

      1. Vee

        Also replying to NetD as well.

        Yeah, I’ve used Secunia PSI but I don’t know if I like it for my own machine. I’d use it on someone elses’ machine for sure if they had software I wasn’t familiar with. I really like Qualys BrowserCheck and am forever grateful Krebs made me aware of it.

        And Old School
        I’ve actually done that for some stuff, although now I want to do it for everything after reading that.

        Thanks guys for the replies. In an ideal world for me I wish Windows would handle software much like Linux distros or even the way Steam handles updates. Imagine if upon loading Windows everything was updated. Secunia PSI does come close I will say but I think it should be the Operating System’s job to alert when possible. Then like Windows updates you could just set it to notify rather than automatically install. I hear Windows 8 is starting to do something like that already, but I get the feeling it still falls short and is limited.

        Be nice if either way we weren’t forced to almost obsessive compulsively watch stuff, but I’ve grown up with it and now sadly treat it as second nature. Good thing it pays off more than not.

    3. Richard Steven Hack

      Look into PatchMyPC. It’s not as comprehensive as some application update utilities, but it covers the main security offenders like Adobe Reader and a fair number of other applications as well.

      http://patchmypc.net/

      I usually install it on any new home user client I get and tell them to run every week or two to make sure they’re up to date on critical security patches. Whether they remember to do it is another matter. I don’t feel comfortable forcing a client to run it by automating the run.

      However I see from the changed Web site that the dev is working on an automated solution for home users as well as one that works with Microsoft System Center.

  7. Dirgster

    Brian, trying to stay safe, I can always depend on your knowledge and expertise when it comes to threats and critical updates. I want to thank you for all your hard work! By being informed of the latest security issues, you enable us to stay one step ahead of the bad guys, and I commend you for it!

  8. Richard Steven Hack

    “In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works.”

    Yup. .NET updates suck rocks. I don’t know why this platform is harder to update than the ENTIRE OS, but it’s definitely true.

Comments are closed.