October 14, 2014

Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.

brokenwindowsEarlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is apparently present in every supported version of Windows. The New York Times carried a story today about the extent of the attacks against this flaw.

In its advisory on the zero-day vulnerability, Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document. According to iSight, the flaw was used in targeted email attacks that targeted NATO, Ukrainian and Western government organizations, and firms in the energy sector.

More than half of the other vulnerabilities fixed in this month’s patch batch address flaws in Internet Explorer. Additional details about the individual Microsoft patches released today is available at this link.

brokenflash-aSeparately, Adobe issued its usual round of updates for its Flash Player and AIR products. The patches plug at least three distinct security holes in these products. Adobe says it’s not aware of any active attacks against these vulnerabilities. Updates are available for Windows, Mac and Linux versions of Flash.

Adobe says users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 15.0.0.189. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 15.0.0.152 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.293 for Windows, Mac, and Android.

Finally, Oracle is releasing an update for its Java software today that corrects more than two-dozen security flaws in the software. Oracle says 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Java SE 8 updates are available here; the latest version of Java SE 7 is here.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. I don’t have an installation of Java handy on the machine I’m using to compose this post, but keep in mind that updating via the control panel may auto-select the installation of third-party software, so de-select that if you don’t want the added crapware.

javamessOtherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework, which also received updates today from Microsoft).


55 thoughts on “Microsoft, Adobe Push Critical Security Fixes

  1. Nathan

    Adobe sent out an e-mail to folks who have signed a distribution license with them. The direct link to Flash installers without the McAfee crud will be unavailable after November 18.

    1. Moike

      Bummer, I suppose it has become too convenient for us to deploy the monthly security update using the easy method.

    2. Steve Cain

      From the e-mail I got it appears if you have a valid distribution license you can still get the stripped down version of Flash.

      • Approved licensees will receive a unique access link to the new hosting page. Only those with a valid link will be allowed to access the page.
      • The existing hosting site URL will be decommissioned on November 18, 2014. Any attempt to access this page after that date will cause a redirect back to the Flash Player Download Center
      • Users with a valid unique access link will be given a limited number of uses to access the new page during the 12 month license term

      1. Nathan

        Yes, you can get it if you sign their license. But there won’t be any way for someone to publicly link to the MSIs. The only thing that security blogs can point to is the main download page.

        They claim it’s to “give you the latest versions of the Flash Player in the most secure manner possible”. I’m confused as to how limiting direct MSI access to people who sign their agreement is more secure.

    3. tehantioch

      This doesn’t appear correct, the adobe distribution page has the latest .msi available now for download right now

      1. Nathan

        Yes, and it’ll stay there until November 18. After that date, the page will go away.

    4. Adobe-Wan Kenobi

      Nathan,
      Are you referring to this link here?
      “https://www.adobe.com/products/flashplayer/distribution3.html”

      makes sense, these lowlife daesh criminals get it from here too. it should’ve never been made publicly available out right like this. I’m sure they’re going to make a distro channel for legitimate user / org availability that doesn’t include all the 3rd party junk that they’re making monies on for themselves and the 3rd parties. maybe they’ll learn from their mistake of greed and get down to business in protecting their investment, one of which is the public trust that when a popup says you need to update it’s coming from the valid source. And hopefully they’ll learn from Apple and Steve Jobs maniacal obsession with security on OEM and OS resources housing, distribution and validation. but at least we have Hope.

      Adobei-Wan Kenobi. You’re my only hope!

  2. Rob Fielding

    For fark’s sake…Oracle just disable applets. It’s not “Java” that’s the problem… It’s “Applets”, and it’s taking down the Java brand. I am so tired of arguing with people about the security/performance wisdom of using Java Server code from otherwise smart researchers who spend their days farking around with applets running in web browsers – thinking that it’s “Java” that is the issue.

    1. Steve Cain

      No, there’s a new release in the Stable channel related to Flash.

      “The stable channel has been updated to 38.0.2125.104 for Windows, Mac and Linux.

      This release contains an update for Adobe Flash as well as a number of other fixes. A full list of changes is available in the log”

  3. Old School

    There seems to be a problem with KB2952664 in Windows 7. I reported the problem to MS and MS tech support said that I would have to pay a fee to get help with a complex problem. In response I offered my services gratis should they want my help in fixing their problem.

    1. Phoenix

      That one failed for me too. I’d say it’s their problem.

    2. Phoenix

      There’s a number of failures reported in the DSL Reports. Click the link in in Brian’s blog list.

    3. David

      It’s a strange one. The Update History shows it as failed but it is listed under Installed Updates. The restart after installing updates also caused two reboots.

      1. SeymourB

        If you uninstall the update, then hit Windows Update again, it’ll not only list the update as available, it’ll install successfully too.

        It’s bizarre that Microsoft lists a failed update as installed. Apparently the guy in charge of the installer for that patch had more important things to do than make sure it fails gracefully.

    4. grayslady

      KB2949927 wouldn’t install for me. When I tried to install from the Microsoft site for this particular update, I received a message saying that the update didn’t apply to my computer. This usually happens when Microsoft issues some kind of “roll-up” update that is just a regurgitation of updates most of us have already installed. I don’t know why they do this.

    5. Dirgster

      I had the same problem with KB2952664 failing to install on my Windows 7, 64-bit, machine. Here is a fix that worked for me: Uninstall the update (Click on Windows Update – in left panel, click “View Update History” – Under “Review your update history” at the top, click “Installed Updates” and look for KB2952664. Click to highlight KB2952664 and, from the menu that pops up, choose “Uninstall”. Reboot your computer, go back to “Windows Update”, click “Check for Updates”, and KB2952664 should come up again for downloading and installing.

      1. muffin

        Thank you, Dirgster for your help with KB2952664 failing to install. That worked for me too.

  4. TheOreganoRouter.onion.it

    Thanks for posting this article, I always look forward to reading them.

    Their was also a browser update to Firefox 33 and a update for the Thunderbird email client :–)

  5. mechBgon

    On some of my systems, this month’s Malicious Software Removal Tool seemed to be stalled, or else it was planning to take far, far longer than usual. I restarted the affected systems and took another run at it, and it got through. Anyone else having their MSRT monthly update stall out?

    1. SomeGuy

      Mine didn’t stall, but it took at least 10 time as long as usual to complete.

    2. Warren

      I used sphinx-soft’s firewall control, nothing gets out until approved.

      Two unknown ‘setup.exe’ were blocked automatically until allowed out on port 80.

      The Malicious Software Removal Tool – stalled – until I opened port 80 for it to phone home.

      1. Warren

        The two unknowns that needed help getting home.

        C:\77f1264493246420c9176926a802c8c8\setup.exe
        C:\e2d5638e61c26d00d8feec\setup.exe

  6. MikeC

    CrowdStrike has seen the Zero-Day Privilege Exploit being used by a Chinese based actor called Hurricane Panda.

    Good blog post about it.

    CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda

  7. eddieski

    So I like to use Qualys for browser checkup… And low and behold, java and adobe have updates, oh and FF at 33.
    Well I just cringe at Oracle wanting to push Ask Toolbar (I have to opt out) then brag about over 3 billion devices installed. Really? Oracle isn’t making enough that it has to push junktool bar and search changes to me?
    Then after installing, launch explorer (by default) and request me to verify any out of date java (and accept the plugin).
    Can’t wait to see what Adobe dealers want to push on me…

  8. Weebler

    I don’t suppose there is some sort of a reason for Adobe’s installers to consistently malfunction (they simply hang on launch) if run from a network share rather than a local folder?

    It’s rather inconvenient to have to run from workstation to workstation with a USB key instead of being able to just download them to a network share and then (perhaps remotely) trigger their execution on each workstation and have them all update. (And downloading a separate copy from Adobe’s website onto each machine seems like it would be especially wasteful of time and bandwidth. I suppose I could rig some Rube Goldbergian system to copy them from a share to each machine, run them, and delete them, but that seems needlessly complex when they could, in principle, simply work properly when run directly from a share…)

    1. Penn

      I suspect this may have something to do with the behavior that the installer copies itself to a temporary place and deletes the launcher. Perhaps an executable launched from the network share doesn’t have the desired temp folder permissions on each machine.

      The installer deleting itself is tidy for home users, but quite annoying for sysadmins.

      1. Weebler

        The MSI installers don’t delete themselves, and those are the ones I use, precisely because I don’t want them deleting themselves before every machine is updated.

  9. And My Axe!

    When Linux has a rare remotly exploitable vulnerability, the crows come out in full force and never STFU — while Windows continues to patch remote exploits all of the time and well, that’s just Windows!

    “Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document.”

  10. Tom

    My installation of Chrome is currently updating from 37.0.2062.124 m to 38.0.2125.104 m which should contain the flash update mentioned above 🙂

  11. tehantioch

    Brian it should be noted that as of this release Oracle is pushing Java 8 as the default download from here forward, even your direct link to the Java 7 download is a download for Java 8 U 25

  12. Eric

    I have always had this naive hope that the number of new serious bugs will eventually dwindle to nothingness. Sadly, this will probably never happen.

    My solution to Adobe updates is to uninstall instead of fighting with an upgrade. Most machines that I have don’t really require it, and it is easier for me to uninstall than it is to keep track of which machine has what installed.

    1. tehantioch

      As more sites use HTML 5 Flash should fall by the wayside. We just need a viable replacement to adobe reader and were all set. Hopefully windows 10 and the build in PDF browser will do this for us.

  13. Allen

    Unless I am missing something obvious, JRE 8 installers are back to the archaic stupidity of not removing older versions. I noticed this in the last release, and hoped it would be fixed in this one. Guess not. I would like to punch Oracle.

  14. Stratocaster

    NYT: “Representatives for Microsoft and the Russian government were not immediately available for comment.”
    So the Times expected Russia to admit their clandestine support of criminal activity to the western press?

    1. SeymourB

      It indicates that they were reached for comment and chose not to.

      That way when their spinmasters come out and claim this is a non-issue, they can’t also claim that nobody contacted them to get their opinion. Or, at least, they can’t say that truthfully.

      It’s all about CYA… you run a story on someone, you contact them before press time to get a comment from them on the story, then you mention that you contacted them whether or not they commented. It stops the wide-eyed innocent “they didn’t tell me” nonsense. They had a chance to comment, they declined, and it was so noted in the article.

  15. chesscanoe

    Up to this afternoon I had Java 7 Update 67 installed on Win7x64 Home. This evening the automatic Java Update Checker on the PC said I already had the latest Java (J7U67) installed, and it closed. However going to Java.com and checking for latest Java, offered J8U25, which installed OK but left behind J7U67 per Control Panel and Belarc Advisor. Running Process Explorer and invoking http://www.wordle.net/create to test Java showed J8U25 was running wordle by default just fine.

  16. Andrew

    Woken up this morning to find that none of the Addonchat chatroom software is working. I use these every day. Gah.

    1. chesscanoe

      SSL-3 can be unchecked in the Java Control panel, as well as IE and Firefox.

  17. Stu

    Re: “Sandworm”. iSight Partners isn’t calling the vulnerability “sandworm”, that’s the name of the Russian hacker group. BK, you rightly noted that it “is apparently present in every *supported* version of Windows.” Isn’t it ironic that iSight’s report said “XP is not impacted”?

  18. 1776

    Updates still failing this morning after 3 attempts yesterday.

    Takes about twenty-minutes to return the fail error and revert.

    Has somehow traumatized my computer causing slow boot and slow program loading.

    Thanks Bill!

  19. Brian

    Would be amazing to live in a world where dodging McAfee bloatware when updating doesn’t become increasingly difficult. Oh well.

    When’s Flash going to be universally replaced by HTML5 already?

  20. David

    Java prompted an update on my win7 laptop, then the, “security features in 7 51 prevented the update from happening.,”
    Circular neatness?

  21. Harry Johnston

    KB2949927 appears to have been withdrawn. It was expired from WSUS earlier today and the download links in the KB article and the advisory don’t seem to be working either.

  22. Jerry

    When I went to install the latest updates on my Win7 64bit machine, I went to the list of updates on Windows Update. KB2949927 was unchecked. I googled the issue. KB2949927 is an upgrade to a new version of SHA (SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2). I found some info on an IT site, www dot bleepingcomputer dot com/forums/t/552022/new-update-ruined-windows-7-boot-updater/. I left the update unchecked on Windows Update.

    To confirm what Harry Johnston saw, KB2949927 was no longer visible this morning on Windows Updates on my Win7 machine.

    BTW, KB2952664, as I understand, is to ease upgrades from Win7 to 8.1. I never tried to install it. (answers dot microsoft dot com/en-us/windows/forum/windows_7-windows_update/what-exactly-does-kb2952664-do/b3ec3f95-2e6a-414b-ad18-0420a24f28d5)

  23. Likes2LOL

    ​Microsoft’s kind of like the White House, releasing embarrassing information late on Fridays:

    From: Microsoft
    Date: Fri, Oct 17, 2014 at 8:00 PM
    Subject: Microsoft Security Advisory Notification

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA256

    ********************************************************************
    Title: Microsoft Security Advisory Notification
    Issued: October 17, 2014
    ********************************************************************

    Security Advisories Updated or Released Today
    ==============================================

    * Microsoft Security Advisory (2949927)
    – Title: Vulnerability in SSL 3.0 Could Allow Information Disclosure
    https://technet.microsoft.com/library/security/2949927
    – Revision Note: V2.0 (October 17, 2014): Removed Download Center links for Microsoft security update 2949927. Microsoft recommends that customers experiencing issues uninstall this update. Microsoft is investigating behavior associated with this update, and will update the advisory when more information becomes available.

Comments are closed.