This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.
ADOBE
Adobe’s Flash patch brings Flash to version 18.0.0.209 on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.
If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.
The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)
Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.
Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.
Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.
MICROSOFT
With today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.
Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.
Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.
More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.
ORACLE
Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.
The latest version, Java 8 Update 51, is available from Java.com. But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.
If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).
The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.
It appears that Microsoft finally has a patch out to address this in KB3079777 (https://support.microsoft.com/en-us/kb/3079777)
Flash Player for 32bit Linux updated this morning to 11.2.202.491
Recent IBM studies found that out of 0ne million computers 4% of the time Java had vulnerabilities while 96% of the time showed Java being used as a weapon by the cybercriminals. Seems to me that if cybercriminals are using Java to design their attack software, that we should be using Java to protect ourselves against such attacks. Obviously Java is still the strongest Software design language out there.
Do you have a link to this study? I’d be interested in reading about what methods IBM used to determine this.
I tried uninstalling flash and shockwave, but soon found that I could not watch the BBC iPlayer without flash. And then found that I could not pay a PayPal invoice without installing shockwave.
One possibility is that we need a safe alternative, if such a thing could exist, but I imagine that the adoption of it would be in the hands of the webstite proprietors or managers. And if it would be better and feasible to dispense with flash and shockwave, likewise the campaign to do so needs to be directed at the website proprietors and managers.
Is there any material difference in terms of security between disabling Java and uninstalling it?
I find it convenient to have Java installed because the interface for my APC UPS depends upon it. So, I enable it if I need to go there, and then disable it afterwards. Is there really any reason to incur the additional inconvenience of uninstalling it?
The significant hazards all have to do with running Java *in a browser*. If you disable that – which I very strongly recommend – the only way Java runs is if you explicitly download and run a Java program. That’s not really any different from explicitly downloading and installing any other kind of program (e.g., EXE, on a Windows system).
To be more accurate: There *is* a difference. Programs written in Java are immune to certain classes of bugs that programs written in some other languages (C, C++ in particular) are not only vulnerable to, but have a long history of falling prey to.
If you’re concerned about *deliberately malicious software* – pretty much any executable program can do pretty much anything once you’ve downloaded it and installed it. The only way to protect yourself against that is to “know your supplier.”
— Jerry
Brian, you’re a hypocrite. You keep telling people “to ask themselves if they really need” Flash or Java installed. Why don’t you also start asking people if they really need to continue using Windows?