Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.
Adobe’s patch includes a fix for a zero-day bug (CVE-2015-3043) that the company warns is already being exploited. Users of the Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player 17.0.0.169 (the current versions other OSes is listed in the chart below).
If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.169.
Google has an update available for Chrome that fixes a slew of flaws, and I assume it includes this Flash update, although the Flash checker pages only report that I now have version 17.0.0 installed after applying the Chrome update and restarting (the Flash update released last month put that version at 17.0.0.134, so this is not particularly helpful). To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.
The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Microsoft has released 11 security bulletins this month, four of which are marked “critical,” meaning attackers or malware can exploit them to break into vulnerable systems with no help from users, save for perhaps visiting a booby-trapped or malicious Web site. The Microsoft patches fix flaws in Windows, Internet Explorer (IE), Office, and .NET
The critical updates apply to two Windows bugs, IE, and Office. .NET updates have a history of taking forever to apply and introducing issues when applied with other patches, so I’d suggest Windows users apply all other updates, restart and then install the .NET update (if available for your system).
Oracle’s quarterly “critical patch update” plugs 15 security holes. If you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or fromJava.com.
If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel. Also, Java 7 users should note that Oracle has ended support for Java 7 after this update. The company has been quietly migrating Java 7 users to Java 8, but if this hasn’t happened for you yet and you really need Java installed in the browser, grab a copy of Java 8. The recommended version is Java 8 Update 45.
Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.
If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.
Hi Brian,
As always, thanks for the various heads-ups!
One thing, however: Oracle are showing the latest version of the Java SE Runtime Environment to be 8u45 (also available at http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html).
Regards,
AJ
Thanks, AJ. When I wrote this, Oracle hadn’t released its advisory or updated its Java home page with the latest version. Fixed in the copy above.
Thanks for letting me know about the Chrome update.
My Windows 8.1 machine had 22 updates including the ones for Microsoft Office. Maybe it’s time to look into buying a Mac because these monthly updates are becoming a pain in the a$$ if you have more then one machine to patch .
The mac needs patching too. Almost all actively developed software has patches and updates. Windows, Chrome, and most common software will automatically update as well if you give them about 24 hours. So for the average home owner, especially if your running Windows 8.1 then the patching should pretty much work automatically for windows and chrome. Since your a Krebs reader thought you probably download early and manually. This would be the same on a mac.
Yes I do manual updates, on all my machines.
Maybe I should go back and relearn Linux instead !
You’re still not getting it, Trump. Linux Distributions typically have more patches than anything else, usually because they include lots of software (free) that must be patched alongside the OS. Thankfully, this is all managed for you and it’s pretty seamless. And yes, some of the Kernel updates require restarts.
Or set up WSUS to automatically patch with all the patches that you approved?
You should be doing automatic updates instead of manual. You’re probably thinking, “but what if a patch breaks something?”. But that is misguided. The chances of being exploited via out of date software is greater than a patch breaking something. And you can always uninstall a bad patch. Not so easy to uninstall malware.
FWIW, my Chrome update shows Adobe Flash Player 17.0.0.169 installed.
With their April, 2015 update for IE11, Microsoft has also let it be known that SSL 3.0 support will be disabled by default. From https://technet.microsoft.com/en-us/library/security/3009008.aspx:
“V3.0 (April 14, 2015) Revised advisory to announce with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11, and to add instructions for how to undo the workarounds.”
To see the exact version of the plugins in Chrome, navigate to chrome://plugins/ from within the browser. For me, it showed 17.0.0.134 before upgrading and 17.0.0.169 after.
use github, llinux slackware they do not need updated
Adobe AIR was also updated to 17.o.0.144.
What’s this new Adobe Reader DC thing about? (There were no updates for Adobe Reader version 10.x or 11.x.)
Regarding Acrobat DC,
https://helpx.adobe.com/acrobat/faq.html has some information for you.
When AIR has a *security* update, Adobe will include a paragraph or two about AIR in the security advisory for Flash. APSB15-06 doesn’t mention AIR at all, so this particular AIR upgrade isn’t likely to be security-related.
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
Doesn’t mean you shouldn’t install it. Just that, unlike the update for Flash, the update for AIR isn’t a *critical* update.
“.NET updates have a history of taking forever to apply and introducing issues when applied with other patches”
I see I have an option to uninstall Microsoft .NET Framework in the Control Panel. What does it do? Can I safely uninstall it or will it mess other things up?
Running Windows 7, Office 2010. 1 standalone computer.
Thanks.
Quite a few Microsoft and third party programs *REQUIRE* .NET to run. If you uninstall .NET using Programs and Features in the Control Panel, you *WILL* regret that decision, and sooner rather than later! Don’t do it!
A starting point:
http://www.microsoft.com/net
http://en.wikipedia.org/wiki/.NET_Framework
https://answers.yahoo.com/question/index?qid=20080229200943AAfNG76
.NYET is essentially Microsoft’s answer to Java, and recent versions of Windows include one or more versions of .NYET. You might or might not actually need it – it all depends upon what applications you have installed.
Most of the issues I’ve ever had with windows updates failing repeatedly have been due to .net – and figuring out how to resolve the damn things so they work again is often harder than just dealing with it for 6 months – a year and wiping the machine/start over.
Once again Brian to the rescue! He beat Adobe auto-updates again! That is if they even work anymore. They haven’t for the last update either.
Thanks!
Does anyone every notice that this whole process (this entire thing) is like drug addiction?
Gotta have your fix….like right now…..
YES! I have noticed this patch and fix thing to be super annoying and leading me to dump the internet into a landfill.
I manually used Windows Update today on Wi7 x64 Home. 17 updates were successfully installed. After Restart I successfully installed latest Flash on IE11, Fx 37.0.1, and Chrome 42.0.231.70 m. After Restart I installed latest Java 8 Update 45 which appeared to be successful, but testing after restart of any web based Java application fails because the Flash plug-in is not supported. Examples include:
http://www.wordle.net/create – enter text and click “Go”.
https://www.java.com/en/download/installed.jsp and click “I agree”.
http://javatester.org/version.html all show “This Plug-in is not supported.”
In Chrome, you’ll need to enable the “Enable NPAPI” flag, because Chrome 42 turns off NPAPI support by default; NPAPI will be totally removed around Chrome 45.
Subscribe.
I circumvented this problem in Chrome (until September) per instructions at
http://www.ghacks.net/2015/04/15/chrome-42-blocks-java-silverlight-other-plugins-by-default-now/?_m=3n%2e0038%2e1579%2eur0ao0412z%2e1mw3
I don’t know yet how to fix Firefox or IE11.
Latest Firefox works with latest Java if NoScript is updated to 2.6.9.21 .
Latest IE11 works with latest Java if AdBlock Plus is deleted.
You additionally may have to tweak Java Console parameters re security levels and Permitted Sites. At least worked for me….
Adobe Flash for IE 11 on Windows 8.1 hasn’t been updated, the MSA is still listed for March 2015 with Adobe version 17,0,0,134
https://technet.microsoft.com/library/security/2755801
Adobe Flash about page visited on IE 11 on Windows 8.1 states “Internet Explorer (Windows 8.x) – ActiveX 17.0.0.169” should be the current version, but this download version from Microsoft is missing!
Adobe’s forums have the direct link to the Microsoft patches https://forums.adobe.com/thread/1816867
Good find. get.adobe.com/flashplayer sends you to the old MSA/KB, at least for IE 11 on Win 8.1/Server 2012. Here is the correct MSA: https://support.microsoft.com/en-us/kb/3049508
This update was not listed on my systems’ Automatic Windows Update notifications for this month.
What is dismaying are the amount of programs that require you to have an old version of Java installed! We’re talking Java 6. Adobe Creative Suite 6 on Macintosh is one of those programs. With only the latest Java installed, it won’t run–you need to install an older version. We run Symantec Endpoint Protection (SEP) on our network, and the remote console that lets you communicate with SEP Manager on the server from a PC doesn’t like it when you upgrade Java–it will break the connection.
It is also astounding how many software companies will claim their software is “secure” when they put their security directly into the insecure hands of things like Java!
–Rusty
Adobe wants you to pay monthly for creative cloud, so they use the fear of vulnerability to push you out of creative suite.
Too bad you paid $2500+ for it when new. . . Now you get bupkis…
Makes one wonder if that issue (not working with newer Java versions) is by design in Adobe CS6, i.e. time to upgrade (or just sloppy programming – i.e. checking to see if its Java version 6 only).
Regardless, the main point of attack with Java is the web browser plugin (which CS6 shouldn’t use at all) – you disable that in your browsers (for your Mac’s Safari does that automatically for out of date versions) and nearly all of the mainline attack paths with Java are blocked.
When a CEO of a major software company feels that making money off their main software programs is not enought, they are no longer a first class but a last class company.
Putting a PUP into a required critical update and not allowing updates for expensive software to plug critical vulnerabilities makes you wonder whether to start classifying them as a malware vendor. Greed will take the company straight to the bottom by losing customer loyalty. It is totally a classless act on the part of the CEO. Plus, they make money off of selling your privacy to data brokers.
https://tinyurl.com/l3zftwx
The most important comment to date, and no one even blinks let alone acknowledges it.. unbelievable.
… it lets you know exactly what direction windows is headed and the above is exactly why they will succeed.
Brian has been saying for years to not even install their junk if you can help it. The problem is all the app developers using Java/Flash and forcing a lot of people to use it for work or purchased products.
Ive been stuck on these updates for over 3 hours… its stuck on 23 of 28 and im not sure which one it is…
Cursor is spinning so I guess i’ll leave it. But still I need to continue working !
Many users are dependent on automatic updates because they are users, not techs. It is not feasible for them to discriminate between different updates and to manually intervene in order to smooth the process. Windows 8.1 seems especially prone to update botch, one non-tech user finding that her Win 8.1 system has become bogged down and still unavailable for use after more than two hours during which time the updating is supposedly taking place. The mouse moves but that is about all.
There is no solution to this mess. If only updates were released unscheduled as they become available. Perhaps doing this would mitigate the effects of releasing the whole shebang on the second Tuesday of each month. With so many helpless users finding their systems unexpectedly becoming useless on or just after Patch Tuesday, the update process is clearly unfit for purpose. Perhaps it should be renamed Botch Tuesday.
“There is no solution to this mess.”
Do you remember the movie WarGames?
“The only way to win is not to play.”
What is required is a step back and a clearer look at the bigger picture.
Makes you wonder what exactly it is doing for 2 hours.. In that same length of time you could usually download an entire full fledged video game that tinkers with drivers, registry, and every aspect of the OS. How does a .net patch take longer to apply than a 10-20 GB game install?
Good heavens, another day, another flash update. At least now im in good shape, until tomorrow…
Thanks once again Brian. I find your assistance in these matters to be invaluable. Also a big thanks to Posters who offer their opinions and expertise.
I’ve upgraded AFP I’m running Versie: 17.0.0.169, nevertheless shockwave is crashing all the time, I’ve tried to upgrad to versie 12.1.7.157 but when open chrome:\\plugins it shows
Shockwave Flash 17.0 r0. I’ve only 1 Adobe Flash Player
Is this what people are referring to as the deRANGEd vulnerability?
The only update that failed for me was kb2990214, which is nagware that asks you to update to windows 10. I kid you not.
No way would I even get windows 10 for free. MS is out of their minds right now and doing everything they can to push people to beta test for it. After the fiasco in february with MS breaking peoples machines on purpose, and taking down the digital river iso downloads so people can’t fix them, with the same update they broke peoples machines with in the past, at the same time taking digital river downloads down the first time, and after the failure windows 8 was at launch the first year, there is no way I’m getting windows 10 or another MS product ever again.
And if its anything like upgrading from xp to windows 7, I would need to upgrade my computer first anyways.
Lots of confusion on the intarwebs about the patches released by MS at the end of March / beginning of April, i.e. well *before* the “Patch Tuesday” batch was released. Now that the dust has settled a bit, you might want to recheck your sources.
KB2990214 — “Update that enables you to upgrade from Windows 7 to a later version of Windows” — appears to be some kind of framework and/or toolset that assists in the upgrade process.
KB3035583 — “Update enables additional capabilities for Windows Update notifications in Windows 8.1 and Windows 7 SP1” — appears to be the actual nagware.
Brian,
You wrote: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).”
Just like you recommend people should uninstall Java if they don’t need it, you should recommend that Firefox and Chrome users should uninstall the IE-only ActiveX Flash player.
IMHO users of “alternate browsers” who don’t use IE don’t need Flash in IE …
The only “safe” (relatively) browser for Flash is Chrome, thanks to the Chrome sandbox.
The one weakness of Flash on Firefox, is that Firefox click-to-play is all or nothing. Allowing Flash to run on a site, lets all of the Flash run, including Flash ads.
What you need is the Click to play per element to force click-to-play on each Flash object.
I hate Flash, so I go the other way: I use the NoScript extension with Firefox, and set it to block Flash on all sites, even the ones I allow javascript on.
FYI, *16* days post update release, Microsoft has issued an update update:
———- Forwarded message ———-
From: Microsoft
Date: Thu, Apr 30, 2015 at 6:13 PM
Subject: Microsoft Security Bulletin Releases
****************************************************
Title: Microsoft Security Bulletin Releases
Issued: April 30, 2015
****************************************************
Summary
=======
The following bulletin has undergone a major revision increment.
* MS15-032 – Critical
Bulletin Information:
=====================
MS15-032 – Critical
– Title: Cumulative Security Update for Internet Explorer (3038314)
– https://technet.microsoft.com/library/security/ms15-032
– Reason for Revision: V2.0 (April 30, 2015): Updated bulletin to
inform customers running Internet Explorer on Windows Server 2003
Service Pack 2 that the 3038314 update on the Microsoft Download
Center was updated on April 22, 2015. Microsoft recommends that
customers who installed the 3038314 update prior to April 22
should reinstall the update to be fully protected from the
vulnerabilities discussed in this bulletin.
– Originally posted: April 14, 2015
– Updated: April 30, 2015
– Bulletin Severity Rating: Critical
– Version: 2.0