July 9, 2013

Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.

crackedwinSix of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.

Microsoft and security experts are calling special attention to MS13-053, which fixes at least eight flaws in Windows’ implementation of TrueType font files. These critical TrueType vulnerabilities exist on nearly every supported version of Windows, including XP, Vista, Windows 7 and Windows 8, and can be exploited to gain complete control over a vulnerable Windows system, just by having the user visit a Web page that contains malicious TrueType content. To make matters worse, Microsoft says one component of this vulnerability (CVE-2013-3660) is already being exploited in the wild.

There’s something else that’s interesting about these TrueType flaws: Ross Barrett, senior manager of security engineering at Rapid7, notes that For the first time ever Microsoft is addressing a single TrueType vulnerability (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054). “By splitting this out, Microsoft is directly addressing a complaint about previous “rolled up” advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed,” Barrett notes.

The other big deal in today’s patch batch from Redmond is the Internet Explorer update (MS13-055), which is rated critical for all versions of IE and addresses 17 vulnerabilities. For a breakdown of the updates released today, check out this summary page, which includes links to all of the individual patches.

Also, Microsoft today announced a policy change related to the security of applications for sale or download in the Microsoft marketplace: Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patched within 180 days of Microsoft confirming the problem. Read more about that policy change at Microsoft’s Technet Blog.

ADOBE FLASH & SHOCKWAVE

brokenflash-aAdobe’s Flash Player update fixes at least three critical bugs in the program. Updates are available for Windows, Mac, Linux and Android versions of Flash. This update brings Flash Player to version 11.8.800.94 on Windows and Mac systems (other OS users see the chart at the end of this post). To find out which version of Flash you have installed, visit this page. Internet Explorer 10 auto-updates its built-in Flash Player; Chrome does as well, but the latest patched version of Flash on Chrome is 11.8.800.97. My installation of Chrome does not appear to have updated to the latest version yet.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Adobe also released a new version of its Shockwave Player software that fixes at least one critical flaw, bringing Shockwave to v. 12.0.3.133 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

shockwaveIf you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

Adobe did not release any updates for AIR today, as it normally does when it pushes out Flash updates. The company says it is not aware of any active exploits or attacks in the wild that take advantage of the vulnerabilities fixed in today’s Flash and Shockwave releases.

If all of this patch frenzy has your head spinning, consider using some free tools to help automate the process for you. File Hippo’s Update Checker works great on this front, as does Secunia’s Personal Software Inspector (I prefer PSI 2 over PSI 3, but your mileage may vary). And, as always, if you experience any problems or interesting issues applying the Windows updates or any of the other patches, please drop a note in the comments section below.

adobeflash11-8-800-94


43 thoughts on “Adobe, Microsoft Release Critical Updates

  1. anymouse

    “Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patches within 180 days of Microsoft confirming the problem.”

    I believe you want “patched.”

    “To find out which version of Flash you have installed, visit this page.”

    You forgot to include the link to this URL:
    http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html

  2. meh

    So Microsoft has been dealing with this same issue in Windows since the late 80’s and they still can’t manage to figure out their OS needs a reliable, built-in way to patch and update critical components yet?

    In 28 years of beta testing GUI based operating systems to the general public they can’t manage to figure out 95% of the stuff websites are trying to do isn’t desired by the user?

  3. Canuck

    Right now Adobe Flash’s update for Mac OSX leads to a 404 page – nice.

  4. WWH

    “Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.”

    I believe this observation applies to recent versions of IE on WinXP and Win7 as well.

  5. Hans

    That constant, never ending stream of “critical” updates for Windows, Adobe Flash and Adobe Shockwave are living proof that these pieces of software are broken beyond repair.

    Imagine driving a car which is gettinhg a recall to the repair shop once in 14 days. First time brakes have stopped stop working. Next time gas pedal has been jamming in full throttle mode. And now wheels are falling of at higher speeds.

    That car producer would have been sued into oblivion.

  6. Rabid Howler Monkey

    From the article:

    “To make matters worse, Microsoft says one component of this vulnerability (CVE-2013-3660) is already being exploited in the wild.”

    Inspection of the link leads to this Computerworld article detailing Google’s Tavis Ormandy’ release of demonstration code which exploits the vulnerability:

    http://www.computerworld.com/s/article/9239477/Google_engineer_bashes_Microsoft_s_handling_of_security_researchers_discloses_Windows_zero_day?taxonomyId=85&pageNumber=1

    Thus, this in-the-wild exploit of Microsoft Windows is brought to you courtesy of Google. Sad, really.

    1. Hans

      To be exact:
      *Information* for the public about that exploit in the wild is brought to you by Google.
      Those using that exploit knew about it without Google’s help 😉

  7. pogue

    Anybody have any negative experiences after installing the MS patch Tuesday patches? I rebooted back up to my laptop desktop as it looked when I first booted it the first time, back to the OEM settings. I got a message saying I was logged in through a temporary logon and I needed to logout and back in. So, I restarted, assuming I would need try and go back to my last restore point and before the patches were installed.

    But, I booted back up and everything was as it was – with the exception of the fact my screen dimness keeps changing (which was a driver/software issue from my laptop that has an automatic brightness detector and dims accordingly, I had disabled this feature, but after the Tuesday updates, its come back and I don’t remember how to solve it).

    Never had any problems with any MS updates ever, and I’ve been using their “Microsoft Update” scheme since it came out (what was it, Win98?)

    1. JimV

      I’ve got one XP Pro SP3 laptop that won’t install the .NET 1.1 SP1 patch (KB2833941) — WU gives the dreaded error code 0x643 and a direct installation attempt from the executable aborts because it can’t find the proper version of netfx.msi and won’t accept the manually-tagged version from the executable as valid.

      Having gone through this sort of failure several times before, I know the ultimate drill — try Aaron Stebner’s repair tool first, but that will likely not work and in the end it will require a full uninstall of ALL of the .NET versions from the machine and rebuild one at a time with their WU patches before moving to repeat that process for each newer version. In other words, a supreme PITA and incredible waste of time!

  8. The Utah Data Center/N.S.A./ Area 51/Room 641A/PRISM/Tempora

    How in the heck did I have 16 updates today for my Windows 8 machine? Those Microsoft Net Framework updates are becoming a pain in my “PC Roboto ”

    If Microsoft made airplanes , the captain would have to reboot the auto pilot computer in mid flight. He or she would have to fly the plane by way of safe mode or a DOS prompt , hundreds upon hundreds of people will die.

      1. d

        Yes, the Apple update DMGs are big, but you get everything in one bite! And you get all the components as one download. For some OSes, Apple allows you to download each update separately, i.e. iTunes.

        All of yesterday’s Windows updates successfully patched except the one for MSE. I am thinking it has to be one of those stupid framework things that serves as the source of the problem. I have tried to update through MSE, but after about 35 minutes it keeps failing. Too bad MSE doesn’t have a simple link that takes you to the site and allows you to download the update for a specific application. I REALLY wish Microsoft would change it’s procedures to update the OS and apps.

        Of course, I am at work and for 99 percent of my tasks, I use a Mac. However, since this Windows machine is part of the network, I want to keep it up to date. Or at least I am trying to…

  9. uyjulian

    Stop using Windows and Flash. Use Click-to-Flash or other similar extension if you want flash anyway. Use a sand-boxed virtual machine if you want Windows.

  10. Steve

    “Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patched within 180 days of Microsoft confirming the problem.”

    180 days? SIX MONTHS?!? Ridiculous.

    1. timeless

      Actually, it’s 180 days if it *isn’t* being actively exploited.

      > This assumes the app is not currently being exploited in the wild.
      > In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.

  11. Wayne

    Funny, I updated my Chrome to the latest version on Tuesday, but an update of Flash didn’t come along with it.

  12. mechBgon

    “Internet Explorer 10 auto-updates its built-in Flash Player”

    …but note that this isn’t the case for IE10 on Windows 7 (or its Windows Server cousins). In that case, it’s up to either the system’s Admin or the Adobe Update mechanism. On Win8, the ActiveX Flash Player does update via the Windows Updates mechanism, though.

    Touching on the TrueType font issue: this attack vector has been used before, and my preference is to arbitrarily address that by disabling font download in IE’s security zones panel. For those interested, open up Internet Options, go to the Security tab, and click the Custom Level button in the zone you want to modify (the Internet Zone being the most likely). That option is about halfway down the list.

    The downside is the obvious one: if the site uses a font your system doesn’t have, then IE uses its default font in its place. I can live with that.

    1. timeless

      Note that downloadable fonts are also supported in Firefox and Chrome.

      I haven’t checked the details, but historically Firefox’s certainly used the Windows Font subsystem. It was one of the reasons I was thumbs down on the feature in W3 (repeatedly).

      It’s also the reason that I’m glad NoScript defaults to blocking downloadable fonts in Firefox.

  13. Hans

    Those 9 digit version numbers of “Swiss cheese” software are telling a long and painful story of developers fighting the unwinnable struggle against the 1000 headed dragon of insecurity by design.

    Chop off 1 head and 3 new heads are shining up .

  14. Old School

    The Windows 7 folks need to run the Windows Update process twice because KB890830 will be installed on the second pass. Norton Internet Security released a patch today but the Norton Vulnerability Protection extension for Firefox is still disabled.

  15. Roman

    Thanks for the summary.

    In my company we deploy critical and security updates over WSUS. I am always wondering if I should deploy the normal Updates too. I never found good information about this topic. Perhaps some of you guys can give me a hint or point me in the right direction.

    So far we had no problems with the july patches.

    1. timeless

      Personally, most WSUS servers I’ve encountered (and this is only a handful) tend to be horribly out of date. Thus, I always manually check for updates.

      On my Windows 8 corporate laptop, I gave up and removed the WSUS references (our WSUS server didn’t have .NET3.5 which was needed by applications my employer created). On my Windows 7 desktop, I still manually click, the “check for updates from Microsoft”, but I look forward to reimaging the computer w/ Windows 8 in the near future (I’m also working on migrating coworkers to Windows 8).

      The other thing companies tend to do is use Tivoli or LANDesk to push updates instead, and those tend to be misconfigured to trigger mandatory reboots (often with annoying countdowns and unattended reboots) for updates such as the Flash Player update listed above. So, by manually updating everything eagerly, you can avoid needless reboots from the broken corporate-push daemon.

  16. Chris Thomas

    Google Chrome Component Updates

    Is this a new feature? Flash updates used to seem to come with Google Chrome program updates. Information on the feature is not very clear so I have no idea what to expect. It seems that the vital matter of promptly updating flawed software such as Flash is not treated with the urgency it deserves.

    1. BrianKrebs Post author

      Traditionally, Chrome has been very good about updating Flash on its own, often before even Adobe officially releases its advisories. But this time, they don’t appear to have done so yet.

      1. BrianKrebs Post author

        I realize this may be less than ideal, but FWIW this is the response I just got back from Google re: when the Flash update would be rolled out to Chrome.

        “As noted on the Chrome release blog, we started updating Flash Player to version 11.8.800.97 on Tuesday, independent of the Chrome 28 release, to ensure a stable and secure experience for our users. That version should be widely deployed to users before the end of the week.”

        http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html

  17. Debbie Kearns

    Your Adobe chart is all wrong! It claims that the Flash Player for Android 4.x is “11.1.115.69” and the one for Android 3.x was “11.1.111.64”, but all I see in the archived page is STILL “11.1.115.63” for Android 4.0 and “11.1.111.59” for Android 2.x and 3.x! Somebody needs to make a correction, because the Android Flash player is not updated since last month! 🙁

    1. EricDe

      To be fair: Adobe did update the Android versions on Tuesday and Brian’s chart shows the correct version numbers.

      Unfortunately it takes a couple of days till Adobe updates their “archived flash player versions” page (it has been updated in the meantime).

      In the future try the following trick: Go to Adobe’s archive page, take the link of the previous version as a template and simply replace the old version number with the new version number. Worked at least two times for me (including last Tuesday).

      Unrelated tip for Mozilla Thunderbird users: The Flash player plugin (called “Shockwave Flash” as it is in Firefox) is automatically enabled every time you update the Flash player plugin. So if you had it disabled in Thunderbird, you need to repeat that after every Flash update.

      Finally a big thanks to Brian for his outstanding work, it is very much appreciated around the world (in my case Austria, Europe).

  18. kelwin

    These summaries are of more help to me than several other sites combined. (Time for acknowledgement:-)

  19. Joe

    The Microsoft Security Essentials update opened an EULA window BEHIND the Microsoft Update Window and waited for user input agreeing to new terms and conditions.

    I couldn’t see that window until after I closed Microsoft Update. I thought the update had died, but it was waiting on input to the hidden window.

    Strange behavior for an update.

    1. JimV

      It was an upgrade and replacement of the main engine for MSE, not just an update of the malware definitions file. As a “new” software install, the EULA approval is pretty much a legal requisite.

      1. A

        Yeah, but why have it pop up under Windows Update? I too thought it had stalled and canceled the update. Only then did I see the EULA window, which had never popped to the fore.

        1. JimV

          There may be something in the MS scripting which caused it to pop underneath, or it could be a setting in your IE browser options since that’s the basis for WU — hard to say which. As I recall, the popup for the MSE upgrade on all of my machines (running XP, Vista and Win7) was out front/on top, not underneath.

  20. Alex Blackwell

    Google Chrome is now showing the 11.8.800.97 update.

  21. Yuhong Bao

    ” fixes at least eight flaws in Windows’ implementation of TrueType font files. ”
    Only one is actually related to TrueType.

  22. Rabid Howler Monkey

    Brian, an FYI.

    Microsoft Security Bulletin Summary for July 2013 has been updated to version 1.1 to acknowledge in-the-wild attacks on Internet Explorer 8 using a memory corruption vulnerability (MS13-055, CVE-2013-3163).

    Significantly, this in-the-wild exploit, along with the other memory corruption vulnerabilities, is mitigated by Internet Explorer’s Enhanced Security Configuration which defaults on Windows server OSs (and is not available as an option on Windows client OSs).

    Thus, Microsoft has now acknowledged a total of 2 in-the-wild attacks for ms13-jul.

  23. Harry Johnston

    There doesn’t seem to be a corresponding Adobe AIR update this time around? Does anyone know what’s up with that?

    1. JimV

      FYI, an update for AIR was released today that brings it to v3.8.0.870.

  24. Dijit44

    On my XPSP3 laptop, one of the .net1.1 updates (I forgot which of the two and will have to wait for the warning notice again) refuses to let the laptop hibernate when the lid is closed. Not a big deal operationally, as this is an old Toshiba and generally plugged in full time, but a weird update result nonetheless.
    I have seen no mention, yet, of this issue on the Windows security site.

Comments are closed.