Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software.
Five of today’s 11 update bundles earned Microsoft’s “critical” rating, meaning that the vulnerabilities those patches fix can be exploited remotely by malware or miscreants without any help from users. At the top of the priority list for Windows users should be MS13-096, a patch that plugs a critical zero-day security hole in certain versions of Windows and Office. Microsoft first warned about this flaw on Nov. 5.
Microsoft also is urging customers and system administrators to prioritize two other critical fixes: MS13-097, a cumulative patch for Internet Explorer (all versions), and MS13-099, which fixes a dangerous scripting issue in Windows. All three of these patches fix bugs that Microsoft says are likely to be exploited by attackers in the near future.
Ross Barrett, senior manager of security engineering at Rapid7, points out a noteworthy patch (MS13-104) for users of Microsoft Office 2013’s “cloud” services, which apparently fixes another vulnerability that is actively being exploited. “This information disclosure issue affects the Office ‘client’ and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources,” Barrett said.
For more information on today’s updates, see the roundups at Microsoft’s Technet Blog, the SANS Internet Storm Center Diary, and the Qualys blog.
ADOBE FLASH AND SHOCKWAVE UPDATES
Adobe has issued a patch for its Flash Player software that addresses at least two security holes, including a vulnerability that is already under active attack. Adobe said it is aware of reports of an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content. The company credits researcher Attila Suszter for reporting the flaw; more information about this bug is available at Suszter’s blog.
To find out whether your system has Flash installed and at what version, check this page. Updates are available for Windows, Mac and Linux versions of Flash. The latest version for Windows and Mac users is 11.9.900.170, and 11.2.202.332 for Linux.
Google Chrome auto-updates its own versions of Flash (although not always right away); the newest Flash for Chrome is 11.9.900.170. Internet Explorer 10 and 11 on Windows 8 include an embedded version of Flash that gets updates from Windows Update, rather than through Adobe’s installer. On Windows 7 and earlier, Flash is not embedded, and needs ot be updated via Adobe’s updater or manually by downloading the appropriate version from this page.
In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.9.1380 for Windows, Mac and Android devices. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here.
Adobe also issued an update for its Shockwave Player software that fixes at least two vulnerabilities, bringing Shockwave to v. 12.0.7.148 on Windows and Mac systems. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
You forget to mention that Firefox 26.0 was released today along with ThunderBird email client 24.1.2
Looks like with Firefox 26 they’ve made some changes with plugins: http://betanews.com/2013/12/10/firefox-26-arrives-makes-plugins-more-secure/
Basically it sets all plugins but Flash to “click to play”.
Security fixes can be found here on Firefox 26
htxxs://www.mozilla.org/security/known-vulnerabilities/firefox.html
There is good reason to move to Firefox ESR. Less breakage with “new features” and just security fixes. Firefox ESR 24.2.0 was also released at the same time as Firefox 26.
Additionally, Firefox ESR 24.2.0 only has 9 security fixes vs. Firefox 26 has 14 security fixes.
New features means more security fixes down the road.
Thank you once again, Brian, for your consistently impeccable and incredibly useful notifications of the monthly update lunacy — your vigilance on security issues and helpfulness of the included links are tops!
If your blog’s comment section had thumbs up buttons, notes of thanks would be your highest rated comments.
Brian, astute readers will note that the fixed version of Flash went out with Chrome on Weds Dec 4th, equating to almost a week of extra 0-day protection!
For the Flash patches that actually matter, Chrome _on average_ seems to get them to users faster. Security is my top priority so this is one of the reasons I use Chrome.
Adobe Flash automatic updates are useless. A month after the previous (November) Flash version became available, that version still had not been installed on two Windows 7 systems. Actually, IE ensured that the activeX version was updated but that leaves those who use the plugin version vulnerable.
A very dim performance by Adobe.
I have banned Adobe completly, years ago. One can easily live without Adobe.
Plenty enough alternatives for the PDF reader and you just don’t want to visit a site where you need flash for. It’s asking for problems.
Burry Adobe, because it’s lack of security consciousness is like the Osborne Effect…
I’m trying to update my Windows XP PC’s but Microsoft Update doesn’t progress beyond “Checking for the latest updates for your computer…” ಠ_ಠ
You should be more worried about dropping Win XP and upgrading to a minimum of Windows 7 before Microsoft drops security updates for XP in April, 2014.
Yeah, I’ve been noticing the same thing for my one XP system. It took hours for the updates to show and then they all failed when trying to install.
Something is up on their end for sure.
The way to fix this is to locate and *manually* download and install the latest update for IE8. You can locate it by doing a Google search on: ie8+most+recent+cumulative+update
Once that update has been installed manually, Windows/Microsoft Update should operate normally again.
This link should take you to the November IE8 cumulative update, and once that update has been downloaded an manually applied, Microsoft/Windows Update working again: http://www.microsoft.com/en-us/download/details.aspx?id=41052
The link that Marty posted is for Windows Server, not for XP. Here’s a link to the XP version, and it’s also for December, 2013: http://www.microsoft.com/en-us/download/details.aspx?id=28385
Well, for me I had to get this one: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2898785)
http://www.microsoft.com/en-us/download/details.aspx?id=41404
And that did fix the long wait. But the updates still failed when trying to install. So the hell with it, I’m just going to track them down manually and install that way.
I have noticed the same difficulty. What’s more, this also occurred in October and November. The first time it happened caused me considerable problems as the complete lockup of my main machine (automatic updates was enabled and an instance of svchost.exe was consuming 99% of processor time) made me jump to the conclusion that there was a system problem in that first system I attempted to update. The system behaviour was completely unexpected.
Windows Update for XP always used to work so what is M$ playing at? Automatic updates were always sluggish but now leaving automatic update enabled causes XP systems to effectively become unusable after 1800 UTC on Patch Tuesday.
I conclude that either M$ is causing XP to be a low update priority or that it has engineered some ‘modification’ of the update mechanism in an attempt to encourage XP users to migrate to later OSs.
I don’t know what else to conclude is going on. Updates were straightforward up to and including September 2013.
I have resorted to manual updates and take a very dim view of these apparent developments.
Since a new months ago a fresh install of XP won’t get updates until you perform the following steps:
1) Install SP3
2) install IE8 ( IE8-WindowsXP-x86-ENU.exe )
3) install Update Agent 3.0 ( WindowsUpdateAgent30-x86.exe )
4) install .NET 2.0+ ( NetFx20SP1_x86.exe )
5) install MS13-069 ( IE8-WindowsXP-KB2870699-x85-ENU.exe )
Non-fresh installs may need the newest Update Agent.
I had the same interminable “checking for updates” on one XP desktop as well, but since I had set the automatic update function to notify (but not download) I was able to click that system tray icon, bring up the list of available updates and get that machine to process all of them successfully.
This morning there was a security notice from MS with an updated TechNet posting which might point toward the culprit — the FixIt patch (51004) which was made available in response to the zero-day threat a few weeks ago needs to be removed by applying the appropriate patch (51005). I had downloaded both to a thumb drive, so disabling the earlier temporary workaround was straightforward, but others may have simply applied the initial patch online and not bothered to download the disabling patch.
If you applied the first enabling patch and now need to apply the disabling patch but don’t have it handy, here’s the relevant link:
https://support.microsoft.com/kb/2908005
Hello Brian . I have a problem with the link .If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. http://www.adobe.com/shockwave/welcome/
The site says that I need Shockwave for Director. ?
I have shockwave player 12.0.7.148 .Chrome 31.0.1650.63 m
adobe flash player 12.0.0.31
If your XP machine has gone all phlooey running SVCHOST.EXE at 100%, you’re not the only one. From last month’s Infoworld:
Windows XP update locks machines with SVCHOST redlined at 100%: Fix it with KB 2879017
[+94 Comments with more explanations re: December updates]
http://www.infoworld.com/t/microsoft-windows/windows-xp-update-locks-machines-svchost-redlined-100-fix-it-kb-2879017-230733
By Woody Leonhard | InfoWorld, November 13, 2013
Bug returns with recent patches in Windows XP’s Windows Update processing, as SVCHOST pegs 100% CPU utilization
”It isn’t a new bug, but it’s a killer, and this month’s round of Automatic Updates has brought it back with a vengeance. Freshly installed Windows XP SP3 machines running Windows Update — typically because Automatic Update is turned on — will stall twice. First, when Windows Update accesses the Microsoft website to gather a list of available updates, the machine can lock up for five, 10, 15 minutes — or more — with the CPU and fan running at 100 percent. Then, if the customer waits long enough for the updates to appear, and clicks to install them, the XP machine goes racing away again for five or 10 or more minutes, with the CPU redlined at 100 percent….
…
Will Microsoft go in and fix wuauclt.exe — or, better, fix whatever is broken in its back-end processing — before Windows XP turns belly up next year? I wouldn’t bet on it.”
I wondered what on Earth this SVCHOST process was doing — it consumed 30+ minutes of CPU time before it calmed down!
I fear it will go through that again after a reboot. I have turned checking for updates entirely off and will wait a day or two more to see if Microsoft does anything to resolve this.
WINDOWS UPDATE — WHAT A LOAD OF UNMITIGATED C-R-A-P!!!!
Is there no programming talent or Quality Assurance left at Microsoft, or is it that the Windows XP operating system is just such an unstable HOUSE OF CARDS at this point that interminable critical “Update” after temporary “Fix It” after “Update Rollups” just breaks one thing or another???? [I can never forget back in 2004-2005 I used to maintain a training classroom for a non-profit group full of Windows 2000 PCs when the “update rollup” managed TO BREAK THE ABILITY TO READ AND WRITE FROM FLOPPY DISKS — Arrrgghh!! See http://www.pcreview.co.uk/forums/kb891861-update-rollup-1-2000-service-pack-4-specifically-fastfat-sys-breaks-ability-save-office-docs-floppy-t2053275.html%5D
I just finished finally resolving the latest ridiculous SVCHOST.EXE goes crazy 100% CPU for 10 to 30 minutes while defective wuauclt.exe tries to figure out what updates are needed, EFFECTIVELY BREAKING THE UPDATER’s ABILITY TO UPDATE ITSELF.
In the interim, you have to TURN OFF Automatic Updates completely, as this foolishness repeats itself whenever you reboot the PC.
Finally solved with help from the update/comment from “Beard!” in this article…
Windows XP update locks machines with SVCHOST redlined at 100%: Fix it with KB 2879017 | Microsoft windows – InfoWorld http://www.infoworld.com/t/microsoft-windows/windows-xp-update-locks-machines-svchost-redlined-100-fix-it-kb-2879017-230733?
…I found this fix, which must be applied manually: Cumulative Security Update for Internet Explorer (2898785)
http://technet.microsoft.com/en-us/security/bulletin/ms13-097
Wikipedia says 31% of PC users are still on XP… and Microsoft was too stupid to even include a Start button on Windows 8?
Sheesh! Bill Gates became the richest man on Earth taking money from everyone who bought this crap, and now I should give him even more to get a new OS? I don’t think so. If I had the money, I’d jump ship in a minute to go to a Mac; instead, I’m probably going to be one of those XP users figuring out Linux soon. 🙂
Fertile ground for conspiracy theorists?
“I’m probably going to be one of those XP users figuring out Linux soon. ”
Though I would encourage anyone to try a flavor of Linux (Go for Mint or Fedora, and use either with Cinnamon interface) and I’m pretty close to going entirely Linux myself (if it weren’t for a few things I still need Windows for): updates on Linux aren’t any less problem prone!
Adobe management has provided revenue guidance of $975 million and EPS guidance of 26 cents respectively for the next quarter, lower than consensus estimates for revenues and EPS which are $1.02 billion and 34 cents respectively. bit.ly/AdobeAnalysts
Ok, for anyone that gets a 0x80246008 error (the updates fail) with Windows Update on XP:
See:
http://support.microsoft.com/kb/916251/en-us
Steps 2 and 6 fixed it for me.
Why is is that the Windows OS is a constant security risk with 0 day exploits being released every day and patches being released every month? Why hasn’t Brian asked is users to UNINSTALL WINDOWS UNLESS YOU ABSOLUTELY NEED IT or move to a more secure OS like Linux or OSX? He has no problem turning criticizing Java, but when it comes to Windows it somehow gets a free pass.
Java has actually been buttoned down rather securely by Oracle. Windows, however, is still the constant security, virus and malware nightmare it will always be.
I would posit the following three reasons why Brian might not follow or agree with your advice (but will certainly expect him to counter and offer his own reasoning if warranted):
1) The installed base for Windows is very large, widespread across both vertical and horizontal markets globally and encompasses users from complete novice to deeply experienced, while OSX and Linux (and now Android) have a far smaller and highly selective set of users or adherents in a much more narrow penetration among select geographic markets. This is changing rapidly with the shift from desktop/laptop hardware to tablet/smartphone hardware though, at least for individuals and more slowly for businesses and institutions.
2) Wholesale conversion on a voluntary basis from Windows to some other OS wouldn’t be realistic or feasible for most individual users who fall into the less-than-expert category, and for any business whose application(s) function reliably on Windows code (or MS apps largely designed for Windows code) and have become substantial revenue generators or critical elements of their strategic business activity, the cost of conversion (both acquisition in achieving a reliable substitute and time for staff implementation and retraining) to achieve comparable functioning is such a significant barrier most can’t justify or won’t entertain the notion. After all, there are still COBOL systems in use out there in the real world of institutional computing some 40+ years after that language became obsolete.
3) As market share of OSX, Android or Linux rises and increasingly evolves to represent a worthwhile supply of users for miscreants to exploit by comparison with the huge legacy market Microsoft has captured with Windows (and Sun/Oracle with Java), those same and new miscreants will devote more effort and attention towards finding zero-day exploits to provide the benefits of hacking they desire (whether financial gain or merely kudos among blackhat peers). For years, Mac users tended to gloat in the lack of malware or OS badness by comparison with Windows, but that’s no longer the case — that transition seems to be occurring even more rapidly with Android.
Finally, the fact that Windows has such a large market share and installed base means that Microsoft MUST for strategic business reasons ensure retention of substantial compatibility in new OS versions with legacy applications and functions for some significant period after each release, which the firm tries to minimize by its public specification of end-date termination of support to encourage (ever more forcibly as the date approaches) the migration of users to a newer OS version — but it’s those legacy compatibilities which frequently continue to provide avenues of exploitation in the newer versions, so there’s an implicit conundrum because with any zero-day exploit, MS has an intrinsic requirement not to provide a flawed patch which is insufficiently tested that might seriously break the functionality of systems upon which its business users rely.