March 12, 2013

Microsoft and Adobe each released patches today to plug critical security holes in their products. Microsoft issued seven update bundles to address at least 19 20 vulnerabilities in Windows and related software. Adobe released the fourth security update in nearly as many weeks for its Flash Player software, as well as a fix for Adobe AIR.

winiconMicrosoft today began pushing out seven security patches, four of them rated “critical,” meaning the flaws they fix could be used by malware or bad guys to break into unpatched systems with little or no help from users. The critical patches address bugs in Windows, Internet Explorer, Microsoft Silverlight, Microsoft Office and Microsoft SharePoint. Updates are available for Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008 and 2012.

More information on the Microsoft patches is available at the Microsoft security response center blog, which also discusses some changes to the way security updates are applied to apps available through the Windows Store.

The update from Adobe brings Flash Player to version 11.6.602.180 on Windows and Mac OS X systems (see the chart below for the most recent version numbers on other operating systems). This patch fixes at least four security flaws in Flash Player. Adobe says it is not aware of any exploits or attacks in the wild targeting the issues addressed in this update. But that could change soon, so if you have Flash installed (and most users do), please take a moment to update it.

brokenflash-aThis link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Google Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.180 for Windows, Macintosh and Linux, although it does not appear that Google has pushed out this update yet. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Finally, if you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is 3.6.0.6090 for Windows, Mac, and Android.

FlashPlayer11-6-02-180


36 thoughts on “Critical Updates for Windows, Adobe Flash, Air

  1. Sergey

    I was able to update Flash in Chrome to the latest version using the Google Chrome About screen.

  2. John Senchak antihotmail.com

    It never ends with Adobe Flash player updates. I am about ready to permanently disable it. The biggest problem with Adobe Flash player is that it tends to hang Firefox 19.0x on a regular basis. Without it you can’t view web content so it’s either you deal with the browser hangs and constant updates or you disable it. Their is no happy median here

    1. Can't We All Just Get Along?

      Thanks to Brian for the as-always excellent up-to-date info, links, etc. You are awesome, man, the Washington Post really lost out when they lost you! (My only suggestion is that you enhance the “Once Hourly Digest Email” subject lines of your e-mail subscription messages with the actual title of the post.)

      Three “sorry-I’m-feeling-so-snarky” points / questions about the Adobe update:

      1) “Adobe released the fourth security update in nearly as many weeks for its Flash Player software, as well as a fix for Adobe AIR” doesn’t engender a lot of faith in the products.

      2) These Adobe people are GOOFS!
      From http://helpx.adobe.com/air/kb/determine-version-air-runtime.html:

      “The following information can be used to determine the version of the Adobe AIR runtime that is currently installed on a Windows, Mac OS X or Linux system:

      Right-click on the Adobe AIR.dll file located inside the {drive_letter}\Program Files\Common Files\Adobe AIR\Versions\1.0 directory and choose Properties and then the Version (Windows XP) or Details (Windows Vista/Windows 7) tab.”

      You would think that the “Versions\1.0” directory was for Version 1.0, no? No, that’s where they all go. Remember how they used to number the folders for Adobe Reader? [I don’t know if they still do that since switching to Sumatra PDF, I’m Reader-Free — it helps your computer run better like being Symantec-Free.] The Adobe AIR version numbering almost makes the numbering system morass of the .NET directory mess look intelligently designed.

      3) Can anyone explain why Adobe maintains both Versions 11 and 10 of Flash? Are they just as safe/vulnerable? And why would the Version 11 installation executables be 4 times the size of the Version 10 executables? Just wonderin’…

      ~ Reader-Free and Java-Free s0 far, can Flash-Free be far behind? ~

    2. spice

      ditch fire fox and use only chrome or safari instead

    3. Chakra

      I am not seeing the same issue on my computers, both run Windows 7 64 bit. However, I don’t doubt people have issues with flash. Almost a year ago, the built in flash in Chrome crashed frequently taking the whole browser with it, and 11.3 release for Firefox was equally buggy and crashy. Lately though, it seems pretty stable in both browsers, more so in Chrome than Firefox.

  3. trekker59

    Thanks for the good
    Flash update and version checking links, Brian!

  4. D.

    Brian, do you see any reason we still may need to download the Adobe Flash Player now that it looks like they are building it into the browser. I’m not sure what would need it. Could you give an example if so please. Is there a program or something we use every day that needs it. Just get me in to ballpark…smiles. I know we all have allot of things on are computers. I’m on a desktop running windows 7 using Chrome. I also have IE 10. now. Thanks for all you do.

  5. Kent England

    I have read elsewhere that IE10 only includes Flash updates on the Metro start page and that the “desktop” version of IE10 on 7 and 8 will not include automatic updating for Adobe Flash. Can you confirm this?

    1. CW

      Yes, I definitely like to know this. I was thinking of upgrading folks at my company to IE10 in the near future, mostly because I had read that Flash updates would be included with the browser patches.

      But if that’s not the case with the “desktop” versions of IE10, that’s a dealbreaker.

      With all of the Flash/Air/Shockwave/Java updates, it becoming nearly impossible to keep the corporate environment secure. By the time we have something tested and piloted, we are already at LEAST 1 version behind, and often 2 versions behind. This is insane.

      1. JimboC

        Hi CW and Kent England,

        I have installed Flash Player Updates using Windows Update on Windows 8 several times recently. The desktop and Modern UI (Metro) versions of IE 10 are both updated at the same time via the one update that you install. If you have Automatic Updates enabled (it is by default), the Flash update will be installed automatically for you.

        Information about the Flash Player update is available in the following continuously updated Security Advisory:

        http://technet.microsoft.com/en-us/security/advisory/2755801

        In addition, since yesterday the functionality of Flash Player in the Modern UI (Metro) version of IE 10 has been fully unlocked, thus making it more useful. Full details are provided in the following Microsoft blog post:

        http://blogs.msdn.com/b/ie/archive/2013/03/11/flash-in-windows-8.aspx

        I hope this answers your questions. If I can provide any further assistance, please let me know. Thank you.

        1. CW

          Thanks for the links, JimboC. I confess that I’m still a little confused. It looks like you can now download IE10 for windows 7, but according the link you provided (http://technet.microsoft.com/en-us/security/advisory/2755801), the Flash updates are only being provided for Windows 8, Windows Server 2012, and Windows RT.

          My corporation (and probably most others) are using Windows 7. The whole point of upgrading to IE10 was to include Flash updates along with the regular IE10 updates. But if the Flash component still needs to be patched separately for Windows 7 systems, the upgrade to IE10 doesn’t accomplish my main goal.

          1. D.

            This is what I just read…There will be one important difference between the versions, however. Internet Explorer 10 on Windows 8 includes an embedded version of Flash that gets its updates from Windows Update, rather than through Adobe’s installer. On Windows 7, Flash will not be embedded. Instead, it will use the same ActiveX plugin as Internet Explorer 9 did. Updates will have to be installed using Adobe’s updater, not Microsoft’s. Does this help you…

          2. JimboC

            Hi CW,

            My apologies that my information was confusing. You and the poster named “D.”are correct, IE 10 for Windows 7 does not include the built-in Flash player. It must still be updated separately.

            The concept of a built-in Flash Player was only added in Windows 8. I assume back-porting this change to Windows 7 may have needed too much re-designing.

            You are correct that this situation will not meet your main goal. Are you finding that Automatic Updater for Flash in-effective? I find it great for non-version updates i.e. 11.6 to 11.6 but when a new dot release of Flash is made available i.e. 11.5 to 11.6, the auto-updater can take up to 1 week to update even if it is a security update, which is far from ideal.

            I would suggest deploying Adobe Flash via Microsoft System Center 2012 Configuration Manager (SCCM) or Group Policy if the auto-updater is not patching your systems fast enough or in an inconsistent manner.

            If I can provide any further assistance, please let me know. Thank you.

            1. CW

              Thanks for the follow up Jim. We do use SCCM to push out software updates (though as you may know, Adobe products are not part of the Microsoft catalog.) We’ve got to import 3rd-party catalogs in order to deploy them through SCCM. It’s “somewhat” successful, but there are always a decent number of failures related to the Flash updates, especially when you’re pushing to many thousands of machines.

              Not to mention the updates for Air, Shockwave, Acrobat, Reader, etc….it’s becoming unmanageable. For various reasons, I can’t just turn on “auto-updates” for these corporate machines.

              OK, enough venting. I can only hope Adobe slows down with the updates in the future.

              1. JimboC

                Hi CW,

                I am sorry to hear about the difficulties that you regularly face in updating the PCs that you administer. It’s a pity that in 2013 auto-updating is far from consistent.

                I don’t at all think you are “venting” in anyway, it’s a very legitimate issue you are facing with no easy solution.

                I am not trying to be funny/sarcastic/disrespectful when I say this, I presume only the PCs that need Adobe AIR and Adobe Shockwave have them installed? I haven’t used Shockwave since 2006 and AIR since late 2010. I uninstalled these as soon as I no longer had a need for them. If you could remove both of these from as many of the machines that don’t need them, you could save yourself a lot of updating.

                I realize that Shockwave is still used for lots of e-learning/training websites. I would even go as far to suggest that employees uninstall Shockwave when they are not undergoing training, again just to minimize the overhead of managing updates for it.

                I used to be in the frame of mind of “I might need this someday, I will keep on updating it just in case.” With the frequency of updates what they are now I am very much “If you don’t need it, uninstall it.”

                When I started a new role where I work in 2011, the deployment image on the new laptop that I received came with Adobe AIR and Adobe Flash installed. I uninstalled AIR since I knew it was very unlikely I was going to need it. Turns out I was right, I haven’t needed it. I used to provide product support via TweetDeck in 2010 that was the last time I needed Adobe AIR. From what I have read TweetDeck doesn’t use AIR any longer (can’t remember the source, sorry).

                As for Adobe slowing down the updates, it may do, but not for next month. I have read that Adobe are planning on patching Flash again. From my experience, they are likely to patch Adobe Reader/Acrobat too. Both of these are in response to the recent Pwn2Own 2013 competition that took place in the second week of March.

                I hope that some of my tips may be of assistance to you.

                Thanks.

        2. D.

          At least they know how it is being updated now, but I still would advise people to check and make sure that it was done when Adobe Flash Player has updates. Check that version number with what Adobe has just put out. Not to just count on Microsoft or Chrome and for get it. Microsoft had trouble last year for Adobe Flash Player in IE 10 in Windows 8 about updating. http://www.zdnet.com/microsoft-puts-windows-8-users-at-risk-with-missing-flash-update-7000003834/ . I know you were not looking this up for me but thanks for your info…D.

    2. JimboC

      Hi Kent England,

      Please see my reply above. Thank you.

  6. Angelina

    Hi , I would like to know something about Java . I have installed java 7 update 17 , java 7 update 17 (64 -bit ) , java ™ 6 update 43(64-bit) and finally java fx 2.2.7 (64 – bit ) . Do I need the Java 7 update 17 ? or just the java 7 update 17 (64-bit ) i did a speedtest and the page needed to install java plugin in this case the java 7 update 17

    1. Vee

      Well it depends. If you use a 32bit browser and have Java enabled for it then you should keep the 32bit installation. If it’s unplugged from your browser, then you only need the 64bit.

  7. muffin

    IE 10 was one of the important updates for windows that i received, but it was not automatically installed. i must check it. should i install it. i have IE9 on windows 7.

    1. Vee

      Yeah, get it. I’ve had it installed for a while and it is a pretty good upgrade from IE9. Benches faster in Sunspider and Peacekeeper benchmarks. It also uses a adobe flash whitelist.

      1. JimboC

        Hi Vee,

        The Flash whitelist was only used by the Modern UI (Metro) version of IE 10 on Windows 8. Muffin is using Windows 7 so this does not apply to his/her PC.

        In addition as I mentioned above, the Flash Player whitelist is now no longer used. It has been removed in favor of a black list of sites that have known issues with Flash within the Modern UI version of IE 10 on Windows 8.

        I linked to the blog post above that provides the details on this change.

        Before installing IE 10 I would also check if your PC is one of the affected systems as mentioned in the following Microsoft knowledge base article (in relation to issues with a prerequisite platform update). Further details are given in the following InfoWorld news article:

        http://support.microsoft.com/kb/2823483/en-us

        http://www.infoworld.com/t/microsoft-windows/microsoft-pushes-another-botched-automatic-update-213802

        I hope this helps. Thank you.

    2. pboss

      IIRC, that’s because the IE9 update takes precedence over the IE10 installation. If you re-check Windows Update, IE10 becomes auto-selected. (If you try to install both, you’ll get a Failed warning for the IE9 update)

  8. TJ

    Say what you will about Flash, but Adobe got some unexpected praise from Pwn2Own winner Vupen Security.

    Per ars technica:

    Flash harder to exploit than Java

    Researchers from Vupen Security, a company in France that sells “weaponized” exploits to democratic governments, were also able to pierce key defenses included in Adobe’s Flash Player, securing them $70,000.

    “It’s more expensive to create a Flash exploit than a Java one,” Vupen CEO Chaouki Bekrar told Threatpost reporter Dennis Fisher. “Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”
    http://arstechnica.com/security/2013/03/pwn2own-carnage-continues-as-exploits-take-down-adobe-reader-flash/

    1. JCitizen

      Ya, now if they could just make the auto-updater a little more reliable.

  9. Andrew

    FWIW the Windows 8 updates gave me the black screen of death upon booting after the updates were installed. I left the selections windows update had ticked for me instead of trying them all at once. For prudence you might want to back yourself up before trying these updates

  10. JCitizen

    My Dragon browser auto-updated just before this article came out.

    For those of you who use Comodo’s browser, the link Brian provided to determine if you are patched, will show a rather cryptic version number – but it means the same thing as the latest version.

    Version number [ ” 6 602’80] – apparently apostrophe substitute for “1”.

  11. 4xp review

    Its like you learn my mind! You seem to know a lot about this,
    like you wrote the e book in it or something. I believe that you can do with
    a few p.c. to power the message home a little bit, but instead of that, this is fantastic blog.
    An excellent read. I’ll definitely be back.

  12. Al

    Thanks this was help most help.I gotten so for I’m sure paying
    Microsuct for there mistahes.I think they have made enough thus for its about they stop it that crap.

  13. arigold

    For corporate networks I manage, I find that I cannot live with shutting out Flash. Air can go away for us.
    But to the point of Firefox – unfortunately there is a need to use Firefox. It is the most compatible browser available, and today so much business relies upon website interaction.
    Today many websites are compatible with Firefox. But not with Chrome. Additionally, Firefox still has advanced Addon’s that can help the businesses from hurting themselves (ad blocking, https everywhere, better privacy, disconnect.me, etc. ).We CANNOT expect employees nor business owners – no matter how many times you mention it – to care or be concerned with prevention. They will continue to click on an email that only contains a link. They will continue to be socially manipulated and click on spoof emails, as well as perform searches and click on interesting sites.
    No need to get sanctimonious. I’ve heard all the problems with clients and people, but it still stands – as the network administrator – you must take control.
    So we keep IE shortcuts off the desktop to avoid ActiveX exploits, as well as update PDF readers instantly when updates are released, and turn off the proper option under Preferences – Trust Manager. We use current hardware firewalls – and shut down entire countries, put up botnet filters, we spend the extra money on antiSPAM filters, use complex passwords and don’t allow users to change them. We push patches out within 12 hours of their release. We have corporate computer use policies. We teach basics to every employee. We carefully monitor all devices that move off site like laptops.
    Still, things happen.
    To the point of others, it is getting to be impossible to support networks using this approach. We need to rebuild computing and offer Desktops as a Service, and groom those virtual sessions. That is the ONLY way this will be manageable for the enterprise.

  14. muffin

    just wanted to follow-up on my message of march 12 about should i install IE10 on my windows 7 computer. well, i installed it and then uninstalled it. it does not work with my verizon webmail. the left side of my email page was missing–personal folders, trash, sent box, in box, compose, etc. all i could see were my inbox emails. i called verizon and they said their email is not yet compatible with IE10. so i have gone back to IE9. the uninstall was very scary but i had read on another site that the uninstall takes a very long time. it probably took about 40 minutes. IE9 is put back on as part of the uninstall of IE10. the lesson i re-learned from this: i’m not going to install something that has only been available a few months.. i will wait and install it later–may be 6 months from now.

    1. Easy Reader

      MUFFIN, YOU MUST REALLY HATE ie – IT’S THE ONLY THING YOU WILL CAPITALIZE! 😉

      Personally, I find all lowercase text at least as annoying as all caps — can’t we all write normally and just capitalize proper nouns, acronyms and the beginnings of sentences? It’s easier to read that way.

      1. muffin

        i’m sorry. i have pretty bad arthritis in my hands and doing upper case is pretty painful.

  15. Marci

    I have Windows 8 and I feel like I am constantly updating Adobe Flash. Guess I should look into this a bit.

Comments are closed.