January 14, 2015

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

brokenwindowsLeading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.

For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch. Somehow I doubt this is the last time we’ll see this tension between these two software giants. But then again, who said patching had to be boring? For a full rundown of updates fixed in today’s release, see this link.

Adobe, as it is prone to do on Patch Tuesday, issued an update to fix a whole mess of security problems with its Flash Player program. Adobe’s update brings the Player to v. 16.0.0.257 for Windows and Mac users, and fixes at least nine critical bugs in the software. Adobe said it is not aware of exploits that exist in the wild for any of the vulnerabilities fixed in this release.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As always, please feel free to sound off in the comments section below with your experience about applying any of these security patches.


51 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. Peter Capek

    Adobe should take the high road and not put any new function into Flash until it has been free of the need for security patches for six months. It’s clearly too complicated and/or too large a program for their ability to deal with it.

    1. Neal

      That is the same for any plugin. “Plugin” are a misnomer, all programs are full fledged programs that inject itself into the browser. Any program that uses the internet is a security risk especially one that is as universal as Flash.

      In fact, I think adobe has done a decent job with Flash, it introduced a sandbox model for Windows vista and up years ago, and it is regularly patched.

      As for a six months patch period. That is a dream, no widely used plugin, browser, or internet enabled program is secure for 6 months at a time.

      Also Adobe has froze functionality, they have a extended support version based on their older versions that they keep around for enterprise, but those get regularly patched too.

  2. Chris Thomas

    I have ceased to use Google products owing to what I perceive to be a juvenile and immature attitude to its users. The straw that broke the camel’s back was the Cloud Printing feature which did not work and left a friend unable to print from Google Chrome.

    I blame this new cold war chiefly on Google.

    1. svim

      While there’s certainly some validity to your complaints I think overall your arguments fail when you look at the Big Picture. All the major players in our online world can be blamed or praised simply by applying biased viewpoints. Google scares me mostly because of the massive amount of data it’s collecting on all of us but at the same time Google is one of the few corporations that work off of a business model that doesn’t require building vendor lock-in, walled gardens. Apple, Microsoft, Facebook, etc., etc. are most definitely not innocent doing ‘evil’ things to consumers. Google feeds off of more people simply being online while the others require people being online but only under their specified control. But don’t forget it’s Google that’s investing its own money to start up seed fiber Internet centers defying the lies other corporations like AT&T, Comcast, Verizon, etc. that clearly state it’s too expensive to do so without government financial kickbacks. Don’t forget that it was Google that invested its own money into open sourcing online codecs like VP8/webm defying the MPEG-LA consortium (consisting of corporations like Apple, Microsoft, Sony, etc.) in an attempt to free up online audio/video content from proprietary lock-in. Don’t forget that it was Google that had to stand up against the patent troll consortium Rockstar (again funded by wonderful corporations like Apple and Microsoft) with its dumb-ass lawsuits. Don’t forget it’s Google that has been funding its ‘Summer of Code’, a yearly event that aids non-profits with interns, going back many, many years before the recent trendy push to teach coding and programming in a more public way.
      So yeah, go ahead and hate on Google but if you’re using an Apple or Windows computer, or have a Facebook account, or use Comcast, Verizon, AT&T, etc. for online access, or do anything with any kind of computer device it’s not like you aren’t part of the problem too, we all are, and the more people that realize that Google isn’t the real problem the better chance we have in coming up with real solutions for our very real problems.

      1. skywiper

        Yeah you have a point but it all boils down to “the accounts” be it google or whatever for-profit organizations.

  3. EstherD

    That argument would be even stronger if you applied it against browsers. But it’s wrong-headed in either case.

    A better approach would be to require that most NEW features be DISABLED by default, and insist on good web-based documentation describing how to enable them. The (2 or 3) users who might actually use them would be motivated to learn how to enable the ones they need, and the rest of us (who do NOT need those bells and whistles) wouldn’t be subjected to the bugs and security flaws that those new features entail.

    As it is, every time Firefox releases a new version (like today), I have to spend a couple of hours trying to figure out what new features they’ve added (that I neither want nor need) and how to disable them. Sadly, the documentation for THAT is (generally) sorely lacking, because — HEY — Mozilla (in it’s infinite wisdom) is CERTAIN that EVERYBODY really needs all those clever new toys they just finished building. So what would be the point in providing clear and simple instructions for turning them OFF?!

    1. EstherD

      Looks like I plotched… my comment (above) was intended as a reply to the comment by Peter Capek, and doesn’t make (much) sense unless read in that context.

    2. Peter Capek

      To EstherD: I think your suggestion to disable new features by default is fine, but to the extent that those features introduce new interfaces or function, we know that most people will never turn them on (because most people don’t change any settings…). But it might be a good way to allow some people to test them, and in a later release change the default to enable them.

      This area is clearly one that needs more work.

    3. J G

      Maybe you should buy an air-gapped computer if you’re so worried about security flaws that you spend “a couple of hours” disabling features every time a new browser version is released.

    4. Kihi

      Chrome and Firefox already do that. New features are introduced in their test channels and gradually ported down through test channels to the official releases. Chrome has Canary, Dev, Beta, Stable. Firefox has Nightly, Aurora or Developer, Beta, Stable.

      Also, Mozilla has Firefox Extended Support Release for those who don’t want to grapple with new versions or features, but still use a secure browser. Just google Firefox ESR, it will save you the time, or hours you said you waste whenever Firefox releases a new version.

    5. Alphis

      Features in both Chrome and Firefox go through several test channels before they are released. Chrome has Canary, Developer, Beta, and Stable; Firefox has Nightly, Aurora, Beta, Stable. So anybody who wants to know won’t be blindsided.

      Mozilla also has an enterprise friendly Firefox version called ESR. Instead of wasting hours after each new release turning off features, just switch to Firefox ESR.

    6. EstherD

      Whoa! Hit a nerve there, seems. It’s OK… The Kool-Aid will fix that.

      If I wrote a detailed rebuttal of all the points raised, then I’m sure I’d be accused of trolling. (Might happen anyways, but it can’t be helped.) Instead, I’ll just respond to a few of the particularly egregious ones.

      ESR is a sop thrown to users like me who are unhappy with the current Mozilla “rush it out the door as fast as you can” release cycle. ESR doesn’t solve the basic problem of massive, creeping featuritis overload. Or inadequate pre-release testing. It just postpones the inevitable pain and suffering a bit.

      Eventually even ESR support comes to an end. And then what? A sudden lurch into a brand-spanking-new ESR release and whatever brave new world has been brewing whilst one was off clinging desperately to the previous ESR in order to get some real work done. So instead of being forced repeatedly to swallow unpleasant medicine in multiple small doses, one instead has to choke down a HUGE mouthful in a single sitting.

      Furthermore, there’s the timing issue. New ESR’s are released on a FIXED schedule, not when it would be sensible to do one. The last ESR release, for example, was done immediately AFTER a HUGE batch of user-interface changes, but BEFORE all the dust had completely settled. Given that minor ESR releases are supposed to contain mostly security fixes with only a select few critical bug fixes thrown in, the LOGICAL time for a new ESR would have been just BEFORE those massive user-interface changes were implemented in order to guarantee a stable, and relatively bug-free product. But no, keeping to an (arbitrary) schedule trumps good design practice.

      Then there’s beta testing. Woe be unto the poor user who tries to report a bug that might derail the almighty release schedule! The cognoscenti will spend the first couple of weeks blaming the user. Then another couple of weeks claiming that “Yeah, it *might* be real, but if it is, it doesn’t affect very many users, and besides it couldn’t *possibly* be related to the new stuff we’re working on”. By then, because of the “fast-track” schedule, the so-called “stable” release has been shipped to the great unwashed masses. And then bug reports come flying in: “Attention: All hands on deck! ChemSpill in release 33!” So yeah, beta testing and fast-track are an oxymoron. (Don’t believe me? Try Googling “Firefox breaks Verizon webmail” for starters. Or just read a few Bugzilla reports for whatever bug(s) forced any of the latest ChemSpill releases.)

      Finally, let me reiterate: If developers *really* had the courage of their convictions concerning the universal utility of their latest and greatest creation, then they should have *NO* qualms about making said feature OPT-IN, rather than enabled by default. Before the release had been out a week, users would be falling all over themselves in a rush to turn it on, and the ‘net would be abuzz with helpful documentation to enable them to do just that. Meanwhile, developers would get REAL feedback about which new features users actually use and value most. But no, you’re all deathly afraid that we users will vote with our feet, by staying away in droves, so you never give us a chance to vote at all.

      I’ll pass on that Kool-Aid. Thanks.

      1. Alphies

        *shrugs*. ESR does have a fixed schedule
        https://mozorg.cdn.mozilla.net/media/img/firefox/organizations/release-overview-high-res.png?201501

        It is a compromise, one that I think people would be thankful for. Mozilla is a technology company that is pushing web technologies, the support span they decided is the limit between obsolescence and supporting more conservative users like enterprise.

        ESR versions of course have a shelf life b/c they don’t want to support too many parallel code bases for the same product, that goes for any company. Also a year for a browser is considered ancient with the rate that web tech is progressing, we see the detriments of IE long support cycle on web development.

        Only Microsoft supports multiple versions of the same browser and they announced that in 2016 they will only support the last released IE version for that OS.

        Say what you want about commits each release, but Mozilla quality assurance very professional. It goes through several channels, often having incubation times of 18 weeks minimum but more often a lot longer. Between that time, Mozilla has a direct open line of communication between it users through IRC and mailing list.

        The Australis interface thing was in incubation for a even longer amount of time, and the back and forth communication was often “spirited” to say the least. I was one those who politely shot out a email with constructive criticism, which they did openly discuss my concerns. They actually did take one of my suggestions into account, ignored the rest, but they at least acknowledged it and had a open discussion.

        However at the end of it, Mozilla like any other company must make a judgement call and it did. No company design that is successful designs anything by committee or focus groups, that why you hire designers, you have to trust they will do their jobs and make the right decisions.

        If they believe a feature is not ready they will back it out before they release it in stable. They do it all the time, the most notable lately is the “Hello” feature which they backed out in Firefox 33 to Firefox 34 even though they already had in it beta.

        I think your larger problem is that expect web browsers to stay the same. It is impossible with web browsers and it was never the case with Mozilla even before the rapid release cycle.

  4. Anon friend

    —–BEGIN PGP MESSAGE—–

    qANQR1DBwEwDVcV1/C7xsJwBB/9+cMBYvrgz3xJ3AX88z37n2AxpeTXDcU+CoPIB
    N5gA50fo124JfdFPvBWhYOSJjsSAUCKD8qWn/3C7rVmTl0XMca/hRsJ5h6fZ29IT
    xk3SO5ROeez2pn9ctf9fpFjohnQ7crAz2K3jopFqE9YP7ZZZhlfohq4sI2JMWQqd
    0ODr8iORX5B7vyWZWRiO8VF7VzC6AlQPhE8mg2FdTtb9W/+Bxi2bFF5Xx1mqWnMB
    pGKu97q6iIRwCIJhVtrWEKE4DNTRqfhxsSfUAhNu7fi7Acs8mnGhc0IDF3dHzsUF
    oJZkgWpw3ufMdE1iKbm7I8uD9lHfFkDC13quQLKEZTebf5fU0sBOAajpynlqjk8W
    O3GwB3br7EGymtk7Y+T9GEfCXSsR2v7wD4bOfM0rpACt0A9GtIg+W+vo1vHFhLy9
    yz7I4j1qPJ/QoP5bZfdJaWa7Jghppfq7caIALPUnHJWDWjGABb7Egkw0W8KViVdG
    yr1m0sIgo9LfcF6REQgiljHqYqczA3jRQKOZ0QEtK41UiBJ1p4f7NnwFEkCPZov/
    WobmcPTPOptCTeigGzM3gb5U1nquysao8vT79V88evn7k3kxZRHQljOxGmya3Pd0
    JeB68Dya6eNE/MkUwGYpsaL9GuFg4cMmQ2vu/Tt8W5PUKjrm0SGzk3557A2vfndX
    Tt1yb7khVsVwjtaQIDzA2zoi7mY1
    =Pgv2
    —–END PGP MESSAGE—–

  5. bb ghali

    “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser”

    Assuming I only ever browse with Chrome or Firefox, is there any need to apply the IE patch as well?

    1. Henry

      “Assuming I only ever browse with Chrome or Firefox, is there any need to apply the IE patch as well?”

      Since IE cannot normally be removed from Windows workstations, it is always worth patching all installed software, even if not used in normal course of a day. If for any reason someone would run and browse with your unpatched IE/Flash, there is a risk of infection, even if “no one but one user uses the workstation.”

      Personally, I’d prefer if IE could be completely removed cleanly from Windows, but since it can’t… 😀

    2. goldi

      Yes, even if you never use IE, parts of it are still utilized behind the scenes by Windows, which makes it even more imperative to keep it up to date – including plugins.

    3. mechBgon

      Better yet, uninstall anything you don’t use or need. It can’t be attacked if it’s not there to start with. So if you don’t have a use for the IE version of Flash Player, uninstall it.

      You could furthermore set the Security level of IE’s Internet Zone to “High” as a defense-in-depth step, as well as enabling all other security tweaks (e.g. Enhanced Protected Mode and 64-bit tab processes, if your system offers them). Where I work, I had a rude awakening the other day: an employee was browsing the Interwebs from our point-of-sale server at lunchtime.

      *facepalm*

      These are the moments when all that tiresome defense-in-depth work is suddenly worth its weight in gold. Suffice it to say, the server’s homepage has now been set to a custom warning page that got the message across on the first encounter 😉

    4. a

      I don’t have Flash in IE at all because I rarely use IE, so I only have to update Flash once, for Firefox.

  6. surfer100

    For my computer and laptop (Windows 7), there were also updates for Adobe Air and Shockwave Player. Again, thanks for all you do, Brian.

  7. Donald Trump

    Also happening yesterday, Firefox released version 35 and Thunderbrd is now at 31.4. Furthermore, their where also updates to Google Chrome 32/64

  8. Ollie Jones

    It seems to me that Google should revise their 90-day disclosure policy to account for Microsoft’s long-standing “update Tuesday” rollout schedule.

    Or, maybe Microsoft should consider adjusting that schedule.

    At any rate, this was a remarkably puerile squabble.

    If it were a question of highway safety and the squabbling principals were, say, a vehicle maker and an airbag subcontractor, the National Transportation Safety Board and other regulatory agencies would be all over them.

    Big tech zaibatsus: enough squabbling! your users (that’s the whole world) deserve better and the threats are real.

    1. DavidL

      Neither demonstrates sympathetic behavior.

      Microsoft says that the “focus should be on protecting customers” yet it delays the distribution of patches for an average of 15 days for it’s own convenience.

      I agree with Google’s 90-day policy but do not see how releasing exploit code is helpful to anyone but the purveyors of misery.

      1. Peter

        The delay is not “for their convenience” but because the industry asked for it en masse and didn’t want to continuesly test patches throughout the month. They asked for bundling. Something BTW where they actually have a point as testing patches is expensive.

        1. DavidL

          Microsoft is certainly the biggest beneficiary of the once-a-month patch release schedule.

          Nothing forces the “industry en masse” to install fixes immediately after they are are released by Microsoft. Some part of “it” might, but most of “it” does not.

          Most individual members of the “industry en masse” choose to test and apply patches on their – rather than Microsoft’s – schedule. In such a disciplined environment, Microsoft’s bundling has a neglible impact on the cost of patch testing.

    2. Simon K

      When Microsoft are notified by Google of a security hole, then they should put good people on to it and fix it within the week. That’s what happens with open-source projects. Then QA will need to run their automated tests against the fix to ensure nothing unexpected pops up – another 24 hours. Then the fix goes into the next “patch tuesday”.

      What has happened here is that Microsoft didn’t give enough priority to these problems to get the patch in the first “patch tuesday”. Nor in the second one. The problem is entirely of their own making.

      This bug presumably got put in some queue for a manager to prioritize, and then got put into the development schedule behind “add new menu animation”. Without the 90-day deadline Microsoft would probably not yet have _started_ work on this.

      A fixed deadline _with no exceptions_ pushes the responsible party to properly put security-fix work before feature-enhancements. Any security bug can be fixed within a few weeks, given the right attitude.

  9. Freddie

    It seems to me that the Google 90-day deadline policy might be too stringent in some cases, though I’m not saying that I think (or know) it was too stringent in this case.

    In other words, for a particularly tricky problem 90 days might not be enough time to craft a quality patch whereas for a not so tricky problem, 90 days is way more than enough time.

    I would also think there needs to be some consideration of the impact and pervasiveness of the problem.

    In any case, maybe a hard and fast 90-day cutoff is not to everyone’s benefit.

    I agree they should stop squabbling. I think they should communicate and negotiate.

    1. Gayn

      It appears that Microsoft was too proud to ask Google for an extension, which surely would have been granted, if reasonable. For its part, Google should advertise that reasonable extensions will be allowed.

      1. nigel

        did you even read d umb? That blog post from Microsoft was because google refused to extend the deadline! smh

  10. Marion

    I haven’t been able to update Chrome. Error messsage:
    Version 39.0.2171.71 m

    Update failed (error: 3)An error occurred while checking for updates: Update check failed to start (error code 3: 0x80040154 — system level).

    Any suggestions? Thank you!

    1. Tom R.

      Try restarting your computer and then attempt the update again.

  11. JimV

    Adobe has also released an update for the Shockwave Flash Player that brings it to v12.1.6.156.

      1. JimV

        Some websites still do, though if you don’t have it installed anymore you won’t know until one presents a message it’s needed and points toward the Adobe download site to get it.

        1. Sasparilla

          Important to note – the latest Shockwave flash plugin often has a flash player version that is several releases old (as in versions where security patches have been released – that detail the security vulnerability the bad guys need to target to get through).

          If you can in any way get by with just the Flash player or no Flash player instead of the Shockwave Flash player please do and make yourself less vulnerable.

  12. patti

    As always, trying to see beyond the foothills here – does this mean, actually, that developers have lost control? Or do we simply call them irresponsible and/or evil. I know a lot of South Park fans would say it’s the latter, but research suggests otherwise.

  13. AP

    Hard to believe Java hasn’t released an update in 3 months. At one point they couldn’t could go 3 weeks without a new release. Very suspicious.

    1. CitizenX

      They are on a schedule of quarterly for updates and so far have stuck to it.

      1. Tim

        Brian

        Might be worth mentioning that Java 7 goes EOL in April 2015 after which time no more security patches will be released.

        This is a looming problem for most enterprises as they likely have multiple java-dependent apps and vendors have probably not gotten around to certifying Java 8.x yet.

        Tim

  14. Nathan

    You may want to remove the distribution link from the post as it is forbidden to list on a website.

    “Adobe may provide Distributor with access to the distributable version of the Software via electronic download at a specified non-public website. Distributor shall not disclose the location of such website to any third party.”

    1. JimV

      Brian has regularly provided a link to that webpage and noted in a post several months ago that Adobe was instituting a change, so it would be a really good idea to bookmark it now — although at some point Adobe may raise the bar and shift to a login requirement for reaching it that would preclude normal users from access in order to force everyone (other than its authorized distribution partners) to download the stub installer for Flash updates provided through the regular website.

      1. nv_tech700

        I received an email from Adobe back in October that outlined the changes coming to the Flash download page:

        #############################
        “Dear Flash Player Distribution Partner-

        Adobe will be making changes to the way you access the installers for Flash Player. These changes are part of an ongoing effort to give you the latest versions of Flash Player in the most secure manner possible. Over the next 30 days you will see the following changes:

        • Approved licensees will receive a unique access link to the new hosting page. Only those with a valid link will be allowed to access the page.
        • The existing hosting site URL will be decommissioned on November 18, 2014. Any attempt to access this page after that date will cause a redirect back to the Flash Player Download Center
        • Users with a valid unique access link will be given a limited number of uses to access the new page during the 12 month license term

        If your current license agreement extends beyond November 18, 2014, you will need to reapply for a distribution license. During the transition time you may apply for a new license. Any newly approved license will renew your term for 12 months, giving you access to the new landing page.

        The link to the Distribution license page can be found here: Flash Player Distribution

        NOTE: Bookmarks to the current page will no longer work as of November 18, 2014. Users will be redirected to the Flash Player Download Center

        Thank you for being a valued partner for Adobe and Flash Player!

        Sincerely,
        Adobe Distribution Licensing Team”
        #############################

        I applied for and received a new license in November as instructed. However, it is now January and I have not received any new credentials from Adobe and the old page still works. Go figure. I have no idea what is going on at Adobe…

        1. SeymourB

          That’s pretty much par for the course for Adobe, one half of Adobe doesn’t know what the other half is doing.

          More than likely their large customers squawked loudly upon hearing about their new master plan, so it’s being reworked.

          Personally I signed a redistribution contract with Adobe yet this is the first I’ve heard they were changing anything. That’s why I suspect the first round of customers they contacted included larger sites, once they put out the resulting fires in their call centers Adobe must have quietly stopped contacting customers.

          FWIW, so long as Brian didn’t sign a contract with Adobe to redistribute Adobe products “within his organization” then he’s not bound by the terms of the redistribution contract. If you don’t sign a contract, you aren’t bound by its terms…

  15. Mike Gale

    It’s a good thing that some of the commenters here aren’t in charge of patch management. It’s also a pity that some exploits are revealed on an anti-human bureaucratic schedule seemingly designed to cause trouble.

    It would be cool if we could, to some degree, hive off from the comprehensive mess that computing has become!

  16. jc

    Im disappointed Google.

    Youll be boycotted by me for one week for your stupidity.

    Kids nowadays.

    1. IA Eng

      Language packs – all to the same version – supposedly.

      The Microsoft .NET Framework 4.5.2 and its corresponding language packs are available on Windows Update and on Windows Server Update Service (WSUS). This update is released on Windows Update on the following supported platforms:•The .NET Framework 4.5.2 product is offered as a recommended update.

      •The .NET Framework 4.5.2 Language Packs are offered as a recommended update. Computers that have the .NET Framework 4.5.2 with an older version of language packs for the .NET Framework 4, the .NET Framework 4.5, or the .NET Framework 4.5.1 will receive this update. This update upgrades all previous language packs to 4.5.2.
      •The .NET Framework 4.5.2 Language Packs are also available separately as an optionalupdate. However, this update is not offered together with the .NET Framework 4.5.2 recommended update that is described previously. Computers that meet the following criteria will receive this update:•The .NET Framework 4.5.2 is already installed.
      •There is no previous the .NET Framework 4, the .NET Framework 4.5, or the .NET Framework 4.5.1 language pack installed.
      •The base operating system is a localized version of Windows, or the computer has one or more Multilingual User Interface (MUI) packs installed for one of the 23 supported languages for the .NET Framework 4.5.2 documented here

      .

      Note A recommended update may be installed automatically on all supported platforms based on your computer settings. Optional updates can only installed by manually selecting the update from the list of available updates.

  17. Alex Blackwell

    Interesting. Google just pushed out a new version of Chrome (40.0.2214.91 m) that has a new version of Adobe Flash Player (16.0.0.287).

Comments are closed.