September 10, 2013

Adobe and Microsoft each separately released a raft of updates to fix critical security holes in their software. Adobe pushed patches to plug holes in Adobe Acrobat/Reader and its Flash and Shockwave media players. Microsoft released 14 13 patch bundles to fix at least 47 security vulnerabilities in Windows, Office, Internet Explorer and Sharepoint.

crackedwinFour of the 13 bulletins Microsoft released today earned the company’s “critical” rating, meaning that on balance they address vulnerabilities that can be exploited by miscreants or malware to break into vulnerable systems without any help from users.

For enterprises and those who need to prioritize the installation of updates, Microsoft recommends installing the Outlook, Internet Explorer and SharePoint Server fixes as soon as possible. The Sharepoint update addresses some ten vulnerabilities, including one that Microsoft says was publicly disclosed prior to today’s patch batch.

Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. Likewise, Internet Explorer 10 should auto-update to the latest version. To find out which version of Flash you have installed, see this page.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Updates for Adobe Acrobat and Reader fix at least eight security holes in these products. For Windows and Mac users with Reader XI, the new version is v. 11.0.04. Users of these software titles can grab the updates from the links at Adobe’s advisory, or from within the software by choosing Help > Check for Updates.

adobeshatteredAdobe also released a new version of its Shockwave Player software that fixes at least two flaws, bringing Shockwave to v. 12.0.4.144 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

Finally, there is an update for Adobe AIR, which you may have if you’ve installed desktop clients like Pandora or Tweetdeck. Adobe says it is not aware of any exploits or attacks in the wild targeting any of the issues addressed in the updates the company released today. Applications that rely on AIR check for updates upon start, but the latest version (v. 3.8.0.1430) also is available from this link.

adobe9-13

 

Update, 11:06 p.m. ET: Apple just released an update that blocks older versions of Flash from running in Safari on OS X. systems. “Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 11.8.800.94.” That version is not the version of Flash that Adobe released today, but the one it released back in July. Which means if the last time you updated your Flash Player on your Mac was in June, you won’t be able to view Flash content in Safari if you apply the latest Apple updates without also patching Flash.


43 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. qka

    Brian —

    Since you’re talking about Flash today, it might be a good time to point out to you that some of your advertisers are using Flash in their ads. I, like many of your readers, use Flash blocking software as part of our online security regimen; so we are not seeing those ads unless we click on them. (And how many of us bother?)

    That aside, thank you for all you do and keep up the good work.

  2. Omer Bauer

    Again…Thanks Brian. Everything downloaded with no problems.

  3. Stratocaster

    Sometime I would like you to do a story on the source(s) of those Web ads for “free” downloads of Flash Player from non-Adobe sites. They are fairly common on webmail clients and usually involve a green text balloon. Something definitely smells fishy (phishy?) about them.

  4. Debbie Kearns

    I have a problem. If Google Chrome’s Flash Player is updated, then why does it say I have 11.8.800.97 instead of 11.8.800.170? 🙁

    1. BrianKrebs Post author

      Debbie, I think Google just hasn’t updated it yet. I noted this in the story above:

      “Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. “

      1. capuchinmonkey

        I can’t check at the moment because I am logged into a Windows XP user account that lacks administrator privileges, but when I tried to update Flash Player on my Chrome about five hours ago, it remained at 11.8.800.97.

      2. Stratocaster

        I think it is going to take someone with your stature in the industry to yank Google’s chain about this. Three days after Black Tuesday, none of my home PCs (one XP, two Win7) have auto-updated yet, nor did my work PC. They all claimed they were “up to date”. However, when I downloaded the standalone Chrome installer and installed that (29.0.1547.67) on my work PC (XP), it included the new .170 version of Flash Player.

          1. Stratocaster

            Indeed. But after waiting FIVE DAYS since Black Tuesday for an auto-update without results, I downl0aded and installed the standalone version on my WinXP netbook at home (since my office PC is also XP). That is the Chrome version number, and it does include Adobe Flash 11.8.800.170.

            Brian?

  5. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore

    23 updates on my Windows 8 machine, including the the for the I.E. Flash player. Keep posting the articles, I read each and every one

  6. femtobeam

    Update on Adobe Air for Google Android Nexus 7.

    I installed a new app tonight, Connection Tracker, which pushes notifications of uploaded data and it’s destination. Why would Facebook be continually uploading data to Ireland?

    It is nice to see Flash security updates finally! I wonder if this will have an effect on the Google Chrome lack of support, (in practice, a block and ban of Flash). I could not watch an important webcast again today.

    Hopefully, Microsoft updates will address the re-directions to fake servers and the notorious KB 1033 files. (Office 12) These were non Microsoft updates that totally destroyed my HP desktop and Microsoft usage altogether. Thus, the reason I am using Google now.

    It seems to me that Google, by not accepting malware on Chrome, and also by insisting patches be fixed note quickly, has helped to push Microsoft and Adobe to fix these horrific problems. We will see what happens with Google Chrome Flash support. Of course, they could just move to HTML5.

  7. Rohit Mual

    I wonder my chrome flash version is still 11.8.800.97.
    Brain.. Is it same for you as well!!
    thkns for your work.

  8. Ken

    Brian,

    Normally, as you always mention, I have to install Flash twice in Firefox and IE, but today after I installed it in Firefox, I then opened IE and checked for the version and it showed the latest version 11.8.800.168. So for some reason I only had to install it once this time. I definitely hadn’t previously done anything in IE which I seldom use but I keep it up to date per your very useful reminders.

    Ken

  9. Anthony

    Hello Brian . I have flash player 11.9.900.93 and adobe air 3.9.0.790 . Do I need adobe air in my pc?

  10. Wayne

    Has anyone gotten repeated messages to download 3 updates for Office 2007 (KB2760411, KB2760588, KB2760583), even if you’ve already installed them?

    1. SeymourB

      Normally in cases like that you should download the updates by hand and attempt to manually install them, one by one. Sometimes they’ll install without any fuss but other times they’ll kick back error messages that will give you some breadcrumbs to work with, leading you down the path to fixing whatever’s causing them to not install.

    2. femtobeam

      Wayne,

      Watch out! Are those signed by Microsoft? Check to see if they successfully installed. Uninstall and reinstall, but first check to see if your Microsoft update site is correct in your network protocol. You can check with Microsoft to find out the correct addresses for updates. If they are not signed by Microsoft, they are the fake certs and you are being redirected to a fake Microsoft server for updates.

        1. femtobeam

          If they show up as having been successfully installed in your Update History and it also shows they are Microsoft updates and not a blank space for author, then the notices are popups on your bottom right screen? I suggest turning off automatic updates and then run a scan for new updates yourself. (Make sure it is the right address in your Network Protocols to the Microsoft Update server first.) If your own search for updates shows that you need to install something that was successfully installed already, then maybe if you restart your computer to see if this handles it? Before you do anything though, make sure the KB’s are from Microsoft. I do not know if this is the same as Win 7. What you do not want is to install fake updates. This is so important. Make backups of your Office Documents, if you suspect it, on external HDD. One way to tell if you are infected is to take an Office Document which is recent and Select Show All. See if there are any tiny characters, dots or spaces that are not supposed to be there and backspace them out.

          Maybe they just require a restart to install, but usually the computer restarts anyway after updates. If you have problems after restart, you will have to call Microsoft Support and tell them it is an update problem. They are supposed to help you for free for that.

          Hope this helps.

    3. fgs

      Wayne: Yes, I have had the same problem with those exact same three updates. Nothing I tried, including uninstalling the updates, fixed it.

    4. Bill Long

      I d/l’d all updates that applied to my setup and they
      all showed as “successful”. Then, about half hour later
      I started getting update notifications on three items
      related to Word 2007 that showed as being installed.
      Fine, I played the game a couple of times but the items
      continued to pop up as required updates.
      So I went to Windows update a checked the boxes to
      not notify me of those updates again. There was some
      Windows whining but that beats my usual whining about
      Windows.

    5. Bruce Sharp

      Yes. I am now “installing” updates every time I turn off my machine. Anyone know how to stop this?

  11. Rabid Howler Monkey

    Dear Microsoft,

    Please consider porting apt from the Debian Project to Windows. Not only would this be beneficial to Microsoft’s own updates (think managing dependencies), but it would also be very helpful with keeping 3rd party software updated. With apt modified for Microsoft’s usage in Windows, 3rd party application and platform vendors could simply add repositories to ensure that their software is updated.

    As it is now, 3rd party software on Windows has to do one of the following to ensure that it is up-to-date:

    o add a new service to manage updates (e.g., Google Chrome, Mozilla Firefox)
    o add a new task to the Task Manager to manage updates (e.g., Adobe Flash Player)
    o periodically check for updates when the application is running, notify the user when an update is ready to be installed and wait for the user to apply the update (e.g., Opera)

    It’s a mess! Windows Store apps that debuted with Windows 8 are strictly Modern UI apps and do not include traditional desktop applications such as Adobe Reader, Oracle Java, etc.

    P.S. I’m aware of alternatives from Secunia and FileHippo, but these are 3rd party solutions to a Microsoft Windows problem.

  12. mo

    Why is the date SEP 13, if comments are posted much earlier ? Data changing spam?

    1. capuchinmonkey

      If you mean the date of this post/article, the 13 is the year. The day of the month is the much more prominent 10.

  13. Anthony

    I have 8 updates : kb2870699 , kb890830 ,kb2853952 , kb2872339 , kb2876315 , kb2868116 , kb915597(windows defender definition 1,157,1576.0) , kb2836943

    1. Canuck

      I have a real computer – no weekly updates needed.

      ~thanks Monsieur Jobs

      Now if WordPress would only address the twits attempting to use xmlrpc.php for ddos I’d be a happy Canuck.

  14. Chris Thomas

    “Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. ”

    Not yet! At least Adobe allows you to download and manually install Flash updates. With Google Chrome you must wait patiently, perhaps forever?

  15. femtobeam

    Anyone else getting a bad certificate notice when linking to this string now? I was able to get back in because I still had the tab open on my tablet. If so, please check the certificate information in any warning and write down the Hierarchy info. Do not accept he certificate or proceed. If you have done so, go into preferences and find the bad certificate and remove it. Here is what showed for Hierarchy:

    1). AddTrust External CA Root
    2). UTN-USERFirst-Hardware
    3). Positive SSL CA
    4). krebsonsecurity.com

    No. 1 had 01 as a serial number and Size 1 Byte/8 bits, which is abnormal. I removed this certificate.

    I will post more info later.

  16. KB

    My Chrome still hasn’t updated; still running 11.8.800.97.

    What to do? Does anyone else have this problem? Currently using Windows XP.

  17. capuchinmonkey

    The installation of Chrome on my Windows XP PC is STILL has Pepper Flash version 11.8.800.97!

    Curiously, it was announced today on http://googlechromereleases.blogspot.com/ that the Chrome browser for Chrome OS has been updated to version 29.0.1547.74 and this version includes Pepper Flash version 11.8.800.170-r1. Things that make you go, “Hmmm…”

    1. Debbie Kearns

      Yeah. I caught that Google Chrome update today, so I updated Chrome and its Flash Player is now 11.8.800.170. Sweet! 🙂

      1. capuchinmonkey

        My comment to which you replied was about Chrome OS (the OS on Chromebooks). You must be referring to the update to the Chrome browser for Windows/Mac/Linux, which came out later.

        You say sweet but I’m still bitter that Google never even acknowledged that the update to Pepper Flash didn’t go out as they said it would.

  18. KB

    Yup! When I updated Chrome today…..finally….Flash Player 11.8.800.171 came with it!

Comments are closed.