July 8, 2014

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

brokenwindowsMost of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version 14.0.0.145 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.125.

brokenflash-aFlash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

flash-14-0-0-125


51 thoughts on “Microsoft, Adobe Push Critical Fixes

  1. Jay

    Thanks for the reminder, Brian! Much appreciated.

  2. zackis

    Brian Chrome repackages Flash in a module called Pepperflash I would not be surprised if either A) pepper flash was not vulnerable or B) chrome simply has not yet updated pepper flash to incorporate the changes.

    1. SeymourB

      Pepper is just an API, like ActiveX, or NSAPI. Google does publish the Pepper version of Flash, primarily because Pepper is an undocumented plugin API so only Google can release Pepper plugins, but that version is based on source code from Adobe.

      Sometimes exploits are ActiveX or NSAPI specific, and in those cases you’ll only see a single plugin type revised. In cases where both ActiveX and NSAPI are updated, normally the Pepper version is just as vulnerable.

      Google has already stated they’ll be releasing a new version of Flash for Chrome, but instead of releasing a whole new version of Chrome they’ll rely on their component update model (which has a whole host of issues I won’t get into) to update Flash.

      If you don’t want to wait for Google to deign to update your particular installation of Flash, you can try disabling the Flash component in Chrome. At that point it’ll revert to using the NSAPI version of Flash, which you will have (hopefully) updated. Once Google gets around to pushing down a component update to your copy of Chrome, you can re-enable the Flash component and start using it again.

      It’s a crappy method but their component update model is, well, crappy. Not nearly as crappy as Adobe’s auto-update model but at least we can forcibly update everything without relying on their auto-update model… which isn’t the case with Chrome.

      1. Stu

        Great suggestion. To anyone wanting to to this (disable Pepper Flash), go to chrome://plugins/to get to these settings. .

        I tried to find a way to get Chrome to update its components. At chrome://components/ I can see a component called pepper_flash, but it’s at version 12.0.0.70. Clicking on the “Check for update” button doesn’t seem to do anything.

        IMHO, it’s all just a bit broken.

        1. nonegiven

          According to Google support website, it says if you go to About Google Chrome on your menu, it will check for updates. It doesn’t actually finish updating until you restart Chrome.

      2. timeless

        Minor correction, the browser plugin API is NPAPI.
        http://en.wikipedia.org/wiki/NPAPI
        Netscape Plugin Application Programming Interface (NPAPI) is a cross-platform plugin architecture used by many web browsers.

        http://en.wikipedia.org/wiki/NSAPI
        Netscape Server Application Programming Interface, a technology for extending web server software
        (May be confused with NPAPI, another Netscape technology)
        NSAPI is a server plugin API like CGI-BIN and ISAPI: http://en.wikipedia.org/wiki/Netscape_Server_Application_Programming_Interface

      3. CJ

        I disabled the Chrome Flash plug-in as I’ve done in the past (usually when encountering Shockwave crashes) but for some reason I can’t get Chrome to play nicely with the current version of Flash I downloaded from the Adobe site. Usually both versions show up on the chrome://plugins/ page, but I’ve noticed lately that only the Chrome Flash plug-in is listed. So when I disable it, the browser perceives that I don’t have Flash installed at all. (Firefox can find the Flash download just fine, so I’m not sure what is going on.) I’m wondering if the Flash default install location has somehow changed. The latest version installed at c:\windows\sysWOW64\macromed\flash

  3. TheOreganoRouter.onion.it

    ” totally snuck up on me today” You didn’t get the Microsoft security email, now back in monthly circulation?

    You are slipping there Krebs. LOL

    More internet users need to stop using Internet Explorer and move to a third party browser.

    1. Peter

      Why? It’s a flah bug, so what does the browser matter?

      In fact Firefox doesn’t have a sandbox and hence comes at the bottom in every hack contest, and in reverse on top is always IE11 + EMET on top.

      Knea yerk ….

      People better read this blog better and learn these things, and lose biases ☺

      1. SeymourB

        I hope you realize you can run Firefox through EMET.

      2. zackis

        Sandboxie is free and helps run any browser in a sandbox if that is your desire.

        1. Rabid Howler Monkey

          Not just any browser, but also browser plug-ins such as Adobe Flash Player and Java which run as child process of the web browser.

          Brian recommends SandboxIE in his “Tools for a Safer PC”.

    1. JimV

      Even the official blog posting from Chris Campbell dated 7/8/2014 still explicitly states (and links to the download for) v14.0.0.110 as applicable to the normal runtime/desktop version, despite stating and linking to v14.0.0.137 for the SDK/compiler download.

      https://forums.adobe.com/message/6534513#6534513

      Go figure….

  4. Jack Duggan

    The last two updates for Flashplayer downloaded but did not properly install with Firefox using Windows XP as the OS. Is this the experience of others?

    1. Rob Patton

      I had that problem with XP and flash update 14.0.0.125 and found that when I uninstalled EMET 4.1 I could install the Flash update.

  5. Jackson

    Brian, you write that “Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice…” Not true in many cases.

    I have Windows 8.1 with IE 11, and I use a Firefox browser. Flash is actually built into IE in Windows 8.1, so it doesn’t even show up on the list of programs under Control Panel. My IE in Windows 8.1 always updates to the new version of Flash within two hours on the day a new Flash is released. The same thing happens with the Flash plugin for Firefox (which is listed on the programs under Control Panel). I don’t have to do a thing regarding either of these Flash applications, and it doesn’t take “days or weeks,” as you put it.

    It’s darn near instantaneous for both browsers, has been ever since I’ve had this system.

    1. BrianKrebs Post author

      You’re right, I should have said “may need to apply…” I’ll fix that.

      I’m glad Adobe’s Flash updater works for you. It has never worked for me in anything close to a real-time way. And I know I’m not alone here.

      1. Cog

        Just had the auto updater work for the first time ever yesterday. Had to click on twice the number of ok prompts, but it worked.

    2. a

      I used to try to get BK to fix this but gave up. Glad you mentioned it again!

  6. Gigi Jones

    Had same issue with XP and Adobe Flash two days ago. But tonight, went in as Administrator, and had no problem with Flash update. Perhaps if you try again it will work?

  7. selena

    Brian, I found your interview at npr very important. Most of the things you said I have never heard of at all. I ‘d like to ask you a question, but couldn’t find the right place. My question is: Are chromebooks safer than other computers/laptops? I know a person who uses it for onlinebanking. THanks for responding and thanks for informing us about hackers and safety!

  8. Dancho Danchev

    Brian baby, when are you coming home?

  9. Mike

    Not sure it’s related, but when updating Flash on IE it crashed and now won’t reload, i.e., it keeps crashing and closing…..

    1. Mike

      Reset IE Settings Under Internet Options Advanced – Now OK(ish) – or as much as IE is OK. Thx

    1. NotMe

      Thanks for the link to the NPR story.
      Great interview.

      Patches are not as fun…:)

  10. Mikołaj

    On Windows 8 i have lastest version automaticly on Chrome, Opera, IE and Firefox. No needs for manual actions.

  11. Mike (another)

    Regarding Adobe Air, the version number listed in the article is not the download on the Adobe site, nor on FileHippo. The Adobe site still has version 14.0.0.110, while FileHippo has more recent beta versions. FH does not have the SDK that I’ve seen, but I didn’t dig.

    Download AIR from Adobe. Check the properties (Details tab) of the downloaded file. It says it’s version 14.0.0.110. So, their announced update isn’t available yet, it seems.

  12. Harry Johnston

    The new version of Adobe AIR doesn’t seem to be available from the Adobe website. When I download from there I just get the previous version, 14.0.0.110.

    1. Harry Johnston

      OK, according to the table, the update is only available for Android and for the SDK, not for the Windows runtime.

      So … is AIR for Windows not affected, or have they just not bothered to ship an update? :-/

  13. Stu

    Brian,

    I think it’s great you’re publishing these notifications.

    However, you’re giving some people a false sense of security in saying IE10/IE11 will auto-update Flash versions. Anyone on older OS versions (i.e. not Windows 8 or 8.1) won’t have Flash updates pushed by Microsoft. For them, they’ll still need to check that they’re up to date and (probably) have to download updates themselves.

    It would be good to be clear about this when the next inevitable update comes along.

    1. BrianKrebs Post author

      The information about the auto-update feature being a Windows 8.x feature was in the original post that I filed, and last night I noticed that the version with the graphics removed was running on the site, so I’m not sure what happened there, but I will go ahead and add that information back in.

  14. zackis

    Brian thanks for the info..more info is better than none at all. Even if all your message does is reminds people to update then they will be better off. Keep up the good work!

  15. luser

    pepper_flash – Version: 0.0.0.0

    after disabling the .125 here

  16. Stratocaster

    Interesting. When I checked the Adobe site after receiving the Black Tuesday notice from Microsoft, they had posted the Flash update, but the posted version of AIR was 14.0.0.110. It is STILL the posted version as I write this — no .137 yet.

  17. Jim Morrison

    It is July 10th and my Adobe Flash Player is still not updated in Google Chrome. Whats going on?

  18. Mr__Winn

    Any word from the Java camp? What is their release schedule now anyway? Monthly, quarterly…?

  19. ivan

    Hey, Brian!

    What about the movie you posted few years ago or so?

    It was about money mules as far as I remember.

  20. P

    Thanks for keeping people informed and for the e-mail that reminds us what needs updated! You are awesome!

  21. Jim Morrison

    I finally got the Adobe Flash update from Google Chrome on July 11, 2014. I guess they weren’t in a hurry.

  22. onlyinthe907

    Your cover image is missing Alaska from the nifty illustration of the U.S., it’s only the largest state in the nation.

    1. onlyinthe907

      This reply was intended for the Spam book you posted, idk how it ended up attached to the wrong article.

Comments are closed.