October 14, 2015

Adobe and Microsoft on Tuesday each released security updates to remedy critical vulnerabilities in their software. Adobe pushed patches to plug at least 56 security holes present in Adobe Reader and Acrobat, as well as a fix for Flash Player that corrects 13 flaws. Separately, Microsoft issued six update bundles to address at least 33 security problems in various versions of Windows, Microsoft Office and other software.

Three of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning they could be exploited by hackers or malware to take complete control over vulnerable systems without any help from users. According to security firm Shavlik, four of the flaws involve vulnerabilities that were publicly disclosed by someone other than Microsoft prior to this week. The implication here is that malware writers may have had a head start figuring out ways to exploit several of these flaws, so it’s probably best not to let too much grass grow under your feet before applying this month’s updates.

As per usual, the largest number of flaws addressed in a single patch from Microsoft target multiple versions of Internet Explorer, the default browser on Windows — as well as Microsoft Edge, Redmond’s replacement browser for IE. Other critical fixes concern the Windows operating system and Office.

brokenflash-aAs it usually does on Patch Tuesday, Adobe pushed a critical update for its ubiquitous Flash Player software that plugs multiple flaws. Find out if you have Flash installed and its current version number by visiting this page.

If you use and need Flash Player, it’s time to update the program (the latest version is19.0.0.207 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest.

Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it.

Update, 4:31 p.m. ET: In case you needed another reason to remove or hobble Flash, Adobe just released an advisory warning that attackers are exploiting an unpatched vulnerability in this latest version of Flash player. Adobe said it expects to issue another fix for Flash to fix the flaw during the week of Oct. 19.

Original story:

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

There is also a security update available for Adobe AIR. If you use this program, please take a moment today to patch it. AIR should prompt you to update to the latest version if you launch an application the requires AIR, such as Pandora.

Finally, Adobe issued a fairly substantial fix for Adobe Reader and Acrobat that fixes more than four dozen vulnerabilities in these programs. For more on the latest versions and download link, check out Adobe’s security advisory.


42 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. Otto Hunt

    Does that mean the Adobe Flash is safe to use again? I blew it away at your urging, and I don’t miss it except for videos embedded in some sites (YouTube and Vimeo site work, though), and the way some engineering journals are published.

    1. itsmeitsmeitsddp

      Flash will never be secure. What I do is enable it as needed in Chrome disabled at all other times.

    2. David

      There’s news since yesterday of another zero-day affecting the latest 19.0.0.207.

  2. Nobby

    The way Flash was built, it cannot be made “safe.” Each patch plugs another hole, but in general it is a relic of simpler days on the Internet. It needs to be retired, but Adobe will not ever be likely to do that.

  3. Moike

    If you have Windows Updates set to manual, the first suggestion on checking is to upgrade to Windows 10, with no choice button except to “get started”. You have to click on the tiny “other choices” link, go to optional updates and un-click Windows 10. Then the important updates can be selected and applied.

    All this when the system had never even made a “Windows 10 reservation”.

    1. Isaac

      I discovered the same issue on a W7 system when I went to install the latest security patches today. Microsoft had snuck in W10 as an “optional” update and it was checked for install by default! Hey Microsoft its my system! I choose when to change OS versions!!! Fortunately I took a look at the options list and unchecked it before installing the critical security patches. This particular system does not even have the required free space disk capacity (~3 Gb) to even load it (waiting on a SSD upgrade disk). Anyway, pretty sneaky of Microsoft to set up an “in your face” default W10 install in the behind the scenes optional updates section on systems set for manual updates only! Then after successfully installing the security patches W10 rechecked itself “yet again” for default install. Pretty obnoxious behavior!

      I can understand MS wanting to move users forward, however… many MS users have valid reasons for waiting to upgrade or reasons to decline the install of W10.

      1. Andrew

        Yep, apart from all the documented windows-10 preparatory updates, there’s a relatively new update to Windows Update for windows-7 users. If you click ‘More Information’ it doesn’t mention a thing about windows-10, just that it patches Windows Update and then pages about language packs

      2. Mike

        This isn’t moving users forward, particularly if users are not moving at all. What this actually is, is MS convincing people to run a different OS for a little while with an understanding that they will be expected to stop using it at a point of Microsoft’s choosing. At which time, It will then become a completely different operating system.

        [it isn’t upto the user….it’s the user doing what ever MS tells them to do]

        What would the point be in waiting? That’s just postponing the inevitable. If your going to do it anyway…..then do it. Otherwise the decision is to NOT do it at all. The thing is, when a user decides to stay at Win95 and not update/upgrade; they are ultimately laughed at and ridiculed. Perhaps the user decides to pass on updating to Win7 or Win8?

        [at what point does the idea of “individual’s choice” get tagged as “luddite”?]

        If this were all about “safety” and “online security”, then why is it that things have become so much worse? One would think that with all this updating and upgrading that cyberspace would be water tight by now.

      3. Eaglewerks

        Isaac, in part you said: “… This particular system does not even have the required free space disk capacity (~3 Gb) to even load it (waiting on a SSD upgrade disk). …”
        I find it difficult to believe you have an operating computer where you can access the INTERNET and only have the mentioned Three Gigabyte (3 Gb) of free remaining space. Also your source for the requirements for Win 10 may be in error, as Microsoft informs users the following requirements are minimum: Processor:1 gigahertz (GHz) or faster processor; RAM: 1 gigabyte (GB) for 32-bit or 2 GB for 64-bit; Hard disk space: 16 GB for 32-bit OS 20 GB for 64-bit OS; Graphics card: DirectX 9 or later with WDDM 1.0 driver; Display: 800×600.

        As for the pre-checked Win 10 upgrade on the recent Windows Update files, the error was announced by Microsoft, it was ordered removed, and they said that it was never the management’s intention to have the upgrade to Windows 10 pre-checked.

        1. Bob

          “As for the pre-checked Win 10 upgrade on the recent Windows Update files, the error was announced by Microsoft, it was ordered removed, and they said that it was never the management’s intention to have the upgrade to Windows 10 pre-checked.”

          It took them how many months to figure out how to make the box not checked by default?

          I got so tired of jumping through hoops to do updates without the Windows 10 upgrade tagging along, I used one of those tools that gets rid of the upgrade app in notification area. I was planning on doing the upgrade after they released Threshold 2, but now I think I’m going to wait until just before the end of the free upgrade period.

        2. Darth V

          The download to the Windows.~BT folder is at least 3GB, though some report over 6GB. And you can surf the web just fine with this little space available if you do things like set your browser to delete history and temp files upon exit, or use a tool like CCleaner to clean up temp files regularly.

  4. Dean Marino

    RE: Microsoft patches….

    Something I would LOVE to see an article on – the loss of credibility for Windows Update.

    Recently, MS has been stuffing Windows 10 style privacy stealing patches into their updates. A number of folks (I’m one) want nothing to DO with Windows 10, or MS’s attempts to “correct” our Windows 7 Systems with these privacy robbing patches.

    As a consequence? I, and others, are now in a constant battle to look for and disable these “sneak patches. Bottom line? We can’t trust Windows Update anymore.

    1. Sasparilla

      This is a great point though, Microsoft has corrupted their Update Process to become a tool for monitoring / installation / corporate policy for “their” computer. (by “their”, I mean “your” computer, but Microsoft treats it as their’s) Obviously Microsoft thinks their customers have no choice but to comply with this stuff.

      Here’s an article that talks about Microsoft adding the monitoring software we thought was just in Windows 10 to Windows 7 & 8:

      http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/

      I’m going back through update numbers to get rid of these as well as the Windows 10 install / pre-download patches.

      I’m going to shift one PC at home over to Linux (1st one)…the future path Microsoft has chosen for customer choice and privacy, just doesn’t get better from here…its time to make a mid term plan to get away from them. Mac’s, Linux & the occasional Windows Virtual Machine (for things that don’t have alternatives on Macs / Linux) can cover just about anything you need these days. JMHO…

      1. Darth V

        I’ve already made the move at home to Linux. I have 3 machines (1 laptop, 2 desktops) and all 3 have Linux installed, two of them dual-boot with Win7. I will never run Win10 at home strictly on principle. M$ set an end of support date of 2020 for Win7, so it’s a perfectly workable OS and does everything I need it to do, yet they still pushed the 3+GB download to my computer for Win10 even though I never asked for it. So I deleted it, did the registry hacks to stop forced upgrades, and started running Linux 90% of the time.

        Yes, Linux does most everything I need a computer to do, though it has its own problems as well. And the unfortunate part is that by day, I’m a software developer working with M$ technologies (.NET, etc.), so I can’t turn my back on Windows until I make the career change I’m planning for a few years down the road. Even then, because so much software out there is Windows only, I don’t see myself completely removing it. It will just get to the point where I never connect to the Internet under Windows again after it leaves extended support.

  5. David C.

    WRT using Flash on Firefox, click-to-play is good, but I personally think the Flashblock add-on (https://addons.mozilla.org/en-us/firefox/addon/flashblock/) is better.

    With click-to-play, you must enable/disable Flash for the entire page. If you want to enable it in order to see (for instance) a video clip, you end up also enabling it for the banner ads. And there’s a lot of malware being distributed through banner ads.

    Flashblock, on the other hand, replaces all Flash objects with placeholder objects. You can click on a placeholder to load that one Flash object and no others on the page. You can also configure a whitelist that checks the object’s source URL. So you can (for instance) whitelist youtube.com in order to load YouTube objects wherever they may be embedded without loading all of the other Flash objects that might also be on the same page.

    The only downside to Flashblock is that there’s a bug that causes Silverlight to never load, even when permitted and white-listed. Flashblock must be disabled altogether in order to use Silverlight objects. Right now, the only Silverlight-based site I care about is Netflix. I work around this bug by using a different browser (usually Apple Safari) on those rare occasions when I want to access Netflix from one of my computers. (Normally, I access it from my PS3 or Blu-Ray player.)

    1. samak

      Sounds good David, except that I note that “Flashblock does not work with Javascript disabled or with NoScript installed.”
      I have NoScript installed, so is it better to have NoScript + click-to-play or do without NoScript but have Flashblock instead?
      I confess to general ignorance about these matters.

      1. Nobody_Holme

        Noscript duplicates what flashblock does, but with differences (stops non-flash scripts, catches some other dodgy behaviours, is generally less user-friendly to computer illiterate people).

        You should use one OR the other as part of your web security, but avoid both due to clashes.

        1. samak

          Thanks for the advice. Hope somebody is holme to receive this…

  6. Cog

    Is there a good plug-in for flash black on chrome, or Microsoft edge?

    1. mechBgon

      In Edge, click the three dots at the upper-right, choose Settings, then scroll to the bottom and click View Advanced Settings. There’s a toggle where you can turn Flash off.

      In Chrome, enter chrome://plugins/ in the address bar and you can disable Flash Player there.

  7. Boris

    I believe there is an error in the article.
    Microsoft IE does NOT bundle Flash in it, Microsoft Edge does bundle Flash.
    This is incorrectly referenced two times in this article.

    1. mechBgon

      On Windows 8.x and Windows 10, the IE version of Flash Player is bundled with Windows itself. This is why Flash Player for IE gets updated via Windows Update on Win10 and Win8, whereas on older versions of Windows it would be up to Adobe’s own updater (which doesn’t seem too reliable).

      1. Dirgster

        I read that Flash Player is intergraded with Windows 10, although on my Windows 10 system, the previous Flash Player version still shows. No Windows Update prompts have shown for Flash Player. Am I safe with this older version?

  8. dragos

    I tried to disable flash, but guess what : i still need it. In my case for connecting to to vsphere web client 5.x+
    Vmware have an application client but from v 5.1 to day they add new features only in web client. Which web client even at latest version (6) use Flash 🙁
    So, in enterprise world, you can’t escape from flash (yet)

  9. Phoenix

    I deleted Flash some time ago and haven’t missed it. I figure that any website requiring Flash doesn’t need me. However Google would please me if they would improve their interactive stock charts on their finance page which currently require Flash.

  10. meh

    Has anybody else noticed that the last few versions of flash (17+) have been wiping any settings (disable camera/etc) with every update? I noticed it first on a Windows 10 machine but I’ve also seen it on several Windows 7 machines as well. Unfortunately several companies still rely on it which makes uninstalling it difficult but its insane how bad their default security stance is after all these years.

  11. Bat Man

    I did not check any of the Windows 10 boxes, only the Windows 7 boxes. I apparently got everything including Windows 10 stuff – changing my screen, a new browser, can save all files to the cloud, place to by “things”, to name 4. I have a lot to learn to be able to do what I used to do.

  12. arbee

    Re: W10 updates, comments to the 8 Sept 2015 “Time to Patch” post included a list of five W10-related “updates” you might want to avoid:

    KB3022345 (replaced by KB3068708) introduces the Diagnostics and
    Telemetry tracking service
    KB3035583 W-10 download
    KB3068708 introduces the Diagnostics and Telemetry tracking service
    KB3075249 adds telemetry points to consent.exe
    KB3080149 updates the Diagnostics and Telemetry tracking service

    Subsequently (mid/late Sept 2015), a sixth one

    KB2952664 This update helps Microsoft make improvements to the current
    operating system in order to ease the upgrade experience to the
    latest version of Windows.

    showed up.

    I’m not a fan of Microsoft. Indeed, I’m amazed to find myself making a comment in Microsoft’s defense: the description next to each update is cut / pasted / trimmed, but these are Microsoft’s words, not mine. I check details related to anything I install before I install it. The details are there, and at least for these six updates, I can’t complain that the descriptions are opaque.

    Check to see if you already have any / some / all of the above updates installed. If yes, I suggest uninstalling them keeping in mind this quote from one of the 8 Sept 2015 “Time to Patch” comments: “…disclaimer – provided as-is with no guarantee this won’t delete all of your data, brick your PC, start a global thermonuclear war, molest your pets, and / or produce any other negative outcomes you can or cannot imagine.”

    If any / some / all of these updates were installed and you uninstall them, depend on it: Microsoft will offer them to you again. Right-click on the empty check-box and select “Hide”.

    Moral of the story: read BEFORE you click.

    1. meh

      I made a batch with all of those plus a couple more. At least one of those has been repeatedly marked important and hiding it doesn’t stop it from showing up again.

      I blocked kb2976978 and kb2977759 in addition to the ones mentioned.

    2. R.Fleischer

      you cannot set KB3055583 for “hide”, because microsoft set it so it won’t accept hiding. You CAN refuse the download, with each Microsoft update

    1. mechBgon

      Not the case here. Adobe’s article begins with “You need Flash Player to view Flash content in PDFs, PDF Portfolios, and other features,” so it seems logical that your environment includes PDFs with Flash content embedded. If you can get them to stop adding Flash content to the PDFs, that’s probably the first step.

  13. kopecky

    Windows 10 installed 1st day release in AM not knowing of spyware ability’s . Learning of all privacy invasions & reading Kreb’s, Major Geeks, others I found the following tools: “Stop Windows Spying “& went for delete all Windows Metro. Oh boy took me a while to re figure how to make my 5yr old ACER AMD quad core work for me , but it does @ lower CPU temps & for shorter intervals of high usage. Next installed O&O Shut Up 10 & Spy Bot Anti-Beacon. Being sure to keep Windows update enabled. As a self taught user with no coding/keyboard skills I’m happy with my new surfboard as I had a lot of self-inflicted problems from monkeying around with Win 7 solved by upgrade to Win 10.” What a long strange trip it’s been”. Yeah one of those from way back when. Removed all Adobe & Flash about 1-2 yrs ago if HTML does not pickup on chrome I link to U tube for a try. Foxit for PDF. Thank You Brian & readers for the many tips, keep up the good work for keeping “the “Library at Alexandria” up & working.

  14. annonymous

    Flash can’t be made secure – it has data that executes.

  15. ger

    And another flash update… Just spotted [and installed] version 19.0.0.226.

  16. mechBgon

    On a practical note, here are some easy security tweaks for Adobe Reader users. First, if you’re not on Reader 11, uninstall your old version (especially if it’s 9.x or below, no sandboxing) and get Reader 11.

    In Reader, click Edit > Preferences and a settings panel opens.

    Go to the JavaScript section and uncheck the box for Acrobat JavaScript. In the Security (Enhanced) section, enable Protected View for all files.

    In Trust Manager, uncheck the box for launching non-PDF file attachments with external applications. I also disable multimedia operations in the Multimedia Trust (legacy) section.

    If this works out for your usage pattern, you get the benefits of Adobe’s sandboxing efforts without a lot of the attack surface they included in their enthusiasm for “rich content delivery.”

    Note that these settings are on a per-Windows-user basis. If your system has more than one Windows user account, set these settings for each of them.

    “I would rather say five words that instruct…” 😉

    1. meh

      Would be cool if there is a way to script all of that for enterprise patching systems.

  17. MrKabul

    What about Shockwave? Typically Flash installs go hand in hand with Shockwave, does anyone deploy it, or need it anymore?

Comments are closed.