Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.
A majority of the patches released by Microsoft are fixes for products that run in enterprise environments. Chief among the consumer-facing Microsoft updates is cumulative patch for Internet Explorer that fixes a pair of flaws in all supported versions of IE. This patch also includes the emergency update that Microsoft released earlier this month to address a zero-day vulnerability in IE. Microsoft also issued fixes for several Office vulnerabilities. This month’s batch also includes a .NET fix, which in my experience is best installed separately.
Adobe released a fix for its Flash Player software that corrects at least six security flaws. The Flash update brings the media player to v. 13.0.0.214 on Windows and Mac systems, and v. 11.2.202.359 for Linux users. To see which version of Flash you have installed, check this link.
IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.
The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
In addition, there is an update available that fixes at least 11 security holes in versions of Adobe Acrobat and Adobe Reader. Windows and Mac users should update to the latest version (11.0.07).
Still on Windows XP and will be till something packs up or malware nukes my Dell desktop. Anyhow ran windows update for a laugh and it gave me Mays version of KB 890830 Malicious Software Removal Tool which is better than nothing i guess.
Pucker up. Now the hackers have unplugged holes to look for in XP. 😉
It’s now five days past Patch Tuesday and so far there are no exploits for Windows XP of which I am aware. [resumes crossing fingers]
Here’s what I got today on my own old XP System:
Windows Malicious Software Removal Tool – May 2014 (KB890830)
Security Update for Microsoft 2007 – KB2880508, KB2880507 and KB2817330
Update for Microsoft Office 2010 KB2825635
Note: I have other systems and this XP rig isn’t my main.
“Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.”
and
“Adobe released a fix for its Flash Player software that corrects at least six security flaws.”
and updates all too often obviate our specific Settings, do other sneaky unknown-until-too-late things, and yet we are supposed to have faith in and trust these programs issued by such flawed companies????
sounds like a dystopian novel
On the other hand, isolating yourself from the outside world (required to prevent an outdated system from getting infected) sounds like the unabomber.
It further appears that there is a new version of Adobe AIR (13.0.0.111).
How important are .NET patches with regard to keeping EMET running securely?
I’d be interested in an answer too. Brian, any ideas?
I am already starting to get Microsoft security update burn out this year and it’s only the month of May
“Security Update Burnout (SUB)”
I vote for this as term of the year and it’s only May.
I still run Windows XP, and three patches offered themselves today via auto-update. So apparently support hasn’t ended quite yet.
No, support for Windows XP has ended.
The updates were for Office 2007 or higher, or other Microsoft software on your system that is still in its support lifetime. You won’t see any updates for the core operating system, which is really were a lot of the nastiest issues can come from.
Heads-up for those of you who took preemptive measures on the recent IE zero-day: part of the attack depended on the VGX.DLL file, and one of the workarounds was to modify the Access Control List to deny access to that file.
If you used that specific measure (changing the ACL for the file, as opposed to unregistering it), then today’s MS14-021 update won’t be able to install until you undo your ACL change. To do that, start a command-line window using Run As Administrator, and run this command:
echo y| cacls “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” /g original ACLs
as per Microsoft’s info from yonder:
https://technet.microsoft.com/library/security/ms14-021 about 1/3 of the way down the page.
I applied today’s batch to Win8.1 systems, some with 64-bit Office 2010. The “Restarting…” screen was taking a while, but they got through it.
“IE10/IE11 and Chrome should auto-update their versions of Flash.”
IE10 or IE11 will auto-update their versions of Flash on Win8.x, but not on Win7. Flash is bundled with Win8 and therefore Microsoft ships its updates to Win8 via Windows Update. Not so with Win7; it’s up to either the user, or Adobe’s own updater.
On the topic of Adobe, let me suggest that any Reader users 1) make sure they’re on Reader 11, 2) disable Adobe’s JavaScript feature in the Edit > Preferences panel, and 3) enable Protected View for PDFs from all sources in the Security (Enhanced) panel, like this:
http://www.mechbgon.com/build/reader_security_enhanced.png
Is there a comprehensive record somewhere of the number of security updates issued by Microsoft per month?
Might be interesting to see how those numbers behave over time.
here’s a good start
http://www.securityfocus.com/vulnerabilities
and hey, you should see how many of the security updates go un announced from other vendors.
https://secunia.com/vulnerability-review/vendor_update.html
here’s where you should go to see everything that’s broken
https://web.nvd.nist.gov/view/vuln/search
and here
https://www.sans.org/newsletters/risk/
and here
https://www.sans.org/newsletters/newsbites/
why is everybody always pickin on me?
Enjoy – and let me know when you find something you can fix.
bill gates %^(
There are, but what’d be really interesting is tracking the number of vulnerabilities fixed each month, since many updates actually fix multiple vulnerabilities. However, since Microsoft is closed source, there’s no truly accurate way of tracking this without trusting the vendor to provide truthful information (which is rarely, if ever, a good idea).
Microsoft will occasionally drag out the number of patches as a way of crowing about how secure they are compared to open source software, at which point the Microserf receives a boot to the head for not having provided full disclosure (e.g. source) to verify claims.
Thanks Seymour, good point re vulnerabilities vs updates.
I realize that the data “has issues”, but might nonetheless prove interesting.
I can think of four internet radio networks where Mister Krebs should/ could have a show:
http://www.rense.com/
http://republicbroadcasting.org/
http://www.libertyroundtable.com/
http://www.themicroeffect.com/
I have Adobe Reader X (not 11) installed on the Windows XP netbook I’m using at the moment and it was updated from 10.1.9 to 10.1.10.
Note that support for Windows 8.1 (not Windows 8.1 Update) ends next month.
It would pay folks using Windows 8 to check which exact version they have, if they do not already know.
Around and around it goes . . .
Forget Adobe reader . . . simply Try – – NITRO PDF Reader . . . It’s F-R-E-E and you’re gonna love it!
i
Is anyone else having issues pushing out the latest version of Reader? I extract the 5 files from AdbeRdr11007_en_US.exe, one of those is AcroRead.msi, if i run this .msi it installs Reader 11.0.00 not 11.0.07… I’ve tried it on a separate machine too and same result, seems to be packaged different from 11.0.06
I have the Maxthon web browser, when I go to update it says “You have version 11,3,300,271 installed” so I went to the Adobe Download Center and unchecked the McAfee box, and clicked to download the new version, and it initialized and downloaded, and said it was finished, and returned me to the prior page. But when I go to check my version it still says “You have version 11,3,300,271 installed” I need help! It is not working!
I’m not familiar with the Maxthon browser but I’ll take a stab at it.
Since you say you unchecked the McAfee download, I take it you have a Windows PC. Which version of Windows is it running?
Something else is going on at Adobe. Last night my Creative Cloud menu icon was diminished indicating it wasn’t ‘available.’ (Am a graphic designer) When I attempted to review the apps, nothing was there. It wanted me to sign in?? Then I did got a window that said ‘site unavailable.’ Went to Adobe’s main site and tried to log in there. Again, got the ‘Site unavailable’ and a small notice that said ‘site down for maintenance.’ This was around 10 pm. As of 6:30 am this morning, still nothing can be accessed. Interestingly, just before I discovered this last night, I got a prompt to Update Acrobat Reader, which I did.
Why doesn’t microsoft make a “Windows Lite” basically windows with all the old feature of Windows XP but security of Windows 7 ?
Because to get the security of Windows 7 you need most of the features of Windows 7. As maligned as Vista was, many of the changes that took place under the hood were security oriented (though the worst were simply change for the sake of change, or change to force you to purchase new hardware).
They have Windows 7 Starter which is a stripped down version of Windows 7, to fill the niche XP provided with low powered systems. To say its gone over like a lead balloon is an understatement.
If I’m not mistaken, netbooks that shipped with Windows XP Home (as well as those that shipped with Windows 7 Starter) can easily run Windows 7 Home Premium and better. (You’d probably have to max out the netbook’s RAM, though.)
I should add that the above is true of netbooks that have an Atom CPU. I don’t know if it’s true of those that have a Celeron or other CPU.
Can anyone explain why the IE trend line is saw-toothed?
WTF? Microsoft Update just showed me two critical updates for my Windows XP PC:
Security Update for Internet Explorer 8 for Windows XP (KB2964358)
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2936068)
Oh, the cause of this must be my resetting IE yesterday as I was trying to get MSE to download the latest definitions update.