April 8, 2014

Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog:

“From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.”

Microsoft offers free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

ADOBE

Adobe fixed at least four vulnerabilities in Flash, all of them critical. The company says it is not aware of any exploits in the wild against the flaws. The latest version is v. 13.0.0.182 for Windows, Mac and Linux systems. The Adobe advisory for the Flash update is here.

This link will tell you which version of Flash your browser has installed. IE10/IE11 for Windows 8.0/8.1 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 34.0.1847.116 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you use Adobe AIR (required by some desktop software products such as Pandora, e.g.,), you’ll need to make sure that’s updated as well. AIR usually does a good job of checking for new versions on startup. If you’re not sure whether you have AIR installed or what version it’s at, see these directions. The latest version is 13.0.0.83, and is available for manual download here.

flash13-0-0-182


22 thoughts on “Adobe, Microsoft Push Critical Fixes

  1. Greg

    A nit I’d like to pick: Windows XP hasn’t reached its 13th birthday yet. I was at the “official” launch event in New York City in Bryant Park, behind the main branch of the New York Public Library in October 2001. Bill Gates spoke; he said he asked then-Mayor Giuliani if it was appropriate to hold such an event so soon after 9/11 and Giuliani urged him not to cancel it, saying that New York City was “open for business.” Sting performed afterwards; when he did the song “If I Ever Lose My Faith In You” (that’s what I remember its title being) he omitted the lyric about never having seen a military solution that didn’t end up as something worse.

    Of course, Windows XP had been released to manufacturing well before that, but not by this day in 2001.

  2. AP

    I’m curious Brian… At one point it was a parade of Java updates. Now its been like one update in the past 5 months. Have they really fixed java that well or have they just decided to only update java on scheduled basis. Any idea?

  3. Jeff

    Java is an Oracle product. The moved to quarterly updates recently.

    Because we like critical vulnerabilities that are not blocked by Applocker to sit on our machines for 4 months at a time.

  4. Curious

    odd, the Adobe AIR installer says it’s updating from “4.0.0.1390” to 13.0.0.83, on 3 different systems (2x W7 sp1, 1x XP) that had been previously updated independently from the Adobe site with the most recent update (within the last month or so).

    1. RBBrittain

      I noticed that too, but I’m pretty sure the 4.x number is correct (IIRC it was 3.9.x before). My guess is Adobe decided to bump AIR’s version numbers up to the 13.x range, same as Flash (which AIR is somewhat related to). Ever-escalating version numbers seem to be the norm now; see Chrome (now on v34), Firefox (v28) & Opera (v20). Even IE is now on v11 for Win 7 & 8.

    2. MichaelM

      I see the same Air versioning (4.0.0.1390 to 13.0.0.83) on a Mac that is definetely kept up to date by if nothing else frequent use of Pandora.

      I likewise am assuming an intention of at least minor version parity with Flash.

  5. TheOreganoRouter.onion.it

    Easy month for security updates. Goodbye Windows XP even though it will still work without any major problems. I don’t get why everybody is freaking out about all the security issues. It’s Y2K all over again !

    1. RBBrittain

      Congratulations. Your PC now belongs to any hacker who figures out whatever bugs XP has that haven’t been patched, and now will NEVER be patched…

    2. Vee

      Win98 still “works” too, but you’re not going to want to use it for anything other than some nostalgic games/software experience.

      Anything built in the last 10 years (2002 onward) that’s i686 compatible will run Win7 or some flavor of Linux. For older hardware, pre 2000, there’s a few Linux distros like DSL, Tinycore, Xubuntu, Kwort- just to name a few.

      1. meh

        Win98 not really even good for that anymore… Dosbox works great for most of the DOS era games and even Win2000 in a VM probably as good or better than XP for the rest.

  6. timeless

    Brian: what am I missing? I see a paragraph, and then another paragraph in italics, they seem to have the same content…

  7. Likes2LOL

    iolo Technologies has a new page for XP users entitled “Survive the “XPocalypse” with System Mechanic — Tips to Help Keep Your PC Secure and Reliable.” See:
    http://www.iolo.com/resources/articles/survive-the-xpocalypse-with-system-mechanic/

    Video: ​Up To Speed: Surviving the “Xpocalypse” – YouTube
    https://www.youtube.com/watch?v=LZXRx94rb_8​
    The video’s caption reads, “On April 8 Windows drops support for the XP operating system. Find out how to use System Mechanic to keep your XP machine safe and running smoothly for a long time to come.”

    Besides updating to their System Mechanic Pro security product, iolo’s video recommends uninstalling Internet Explorer and Outlook Express.

    Is that all it takes to keep going with XP, only using the Firefox and Chrome browsers with “Enable phishing and malware protection” ticked on? I never used IE for anything other than Windows Updates anyways… BTW, I thought IE was so deeply embedded into Windows that it couldn’t be removed, or did that change after the EU’s anti-trust lawsuit?

    1. chasm22

      I’m not sure, but one thing that would give me pause to this idea is simply this; Microsoft updates are generally labeled with the particular product that the update applies to. In many cases they apply specifically to Internet Explorer, sometimes to Windows media player, but usually they apply to a particular version of Windows. Chrome is a browser, like I.E. It is not an OS like Windows. In other words, it seems likely to me that simply eliminating IE would not be enough and that continued use of XP as your OS would leave you vulnerable.

      A lot of people are trying to find ways that would allow them to continue using XP. As far as I know, there are none if you use your machine to connect to the Internet.

  8. Adam Davies

    XP has been vulnerably for a long time and Microsoft just keeps plugging the most important holes only till the end of support, that’s why we never saw SP3.

    1. rthonpm

      That’s odd: I’ve got XP Service Pack 3 running on all of my firewalled XP machines.

      You may be thinking of XP 64-bit, the red headed stepchild of Microsoft, which only had two service packs since it was really Server 2003 re-packaged as a client OS.

  9. Andrew Burday

    Re the Flash upgrade, there is a known bug that affects some 2006-2007 Macs. (People are also reporting problems with much newer machines but Adobe only acknowledges a problem with the older ones.) The only fix right now is to skip the upgrade. If you’ve already done it, you can uninstall flash 13 and reinstall version 12. Adobe promises a fixed version of Flash 13 within 45 days. Obviously if you’re worried enough about the vulnerabilities and you don’t need Flash, you might want to just uninstall or disable it altogether until Adobe sorts this out. Info from Adobe is here:

    http://forums.adobe.com/message/6285851#6285851

    1. Greg

      I just checked what the latest versions of Flash Player are. (I don’t trust Flash Player itself to let me know when there’s a new version.) There’s now a version 13.0.0.201 for Firefox, Opera and Safari on OS X.

  10. Chris Thomas

    You can wait for days, even weeks, for Adobe Flash automatic updates to deliver. Pathetic!

  11. Greg

    Google Chrome (the web browser) version 34.0.1847.131 for Windows and OS X and version 34.0.1847.132 for Linux were released yesterday. They include version 13.0.0.206 of the Pepper Flash Player plugin. Adobe hasn’t updated
    http://www.adobe.com/software/flash/about/
    yet to display this version number.

Comments are closed.