November 11, 2015

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

brokenwindowsOne-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical bugs in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk. 

brokenflash-aNew analysis from Recorded Future shows that Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Exploit kits are crimeware packages meant to be stitched into the fabric of hacked Web sites; when a visitor arrives with outdated browser plugins, that visitor’s computer is silently seeded with malware. Eighty percent of the time, these kits are checking for browsers that aren’t up to date with Flash patches.

As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update (version 19.0.0.245 is the latest for Mac and Windows systems), the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).


39 thoughts on “Critical Fixes for Windows, Adobe Flash Player

  1. Zach

    Great article. I think that Flash in Chrome, by default, now has to be activated before it can be ran. I know that when I go to chrome:plugins, my Adobe Flash Player is not Disabled and it is also not ‘Always allowed to run’.

    Anything a Flash applet pops up on a web page, I have to right click and enable the plugin.

  2. Eaglewerks

    Thanks for the ‘Heads-Up’ Brian. The Microsoft updates all installed on my Win 10 machine with no problems. I had to manually download and install the Flash update for Mozilla. It is good to note that for the first time the MS Edge Flash version is now numbered the same as the other main stream browsers versions.

    I am somewhat dismayed to find that more and more of the sites I need to visit, even new subscription somewhat proprietary sites are using Flash. I wish their programmers would find a viable alternative. I had heard HTML/5 would be a solution, but apparently not.

    1. Howard

      And this is why Windows 10 needs to have controllable patch application reinstated. What are we supposed to do when a patch is bad and there is no way to remove it in Windows 10?

      1. Andrew Rossetti

        I wonder if this is the cause of PowerPoint crashes as well. I know it isn’t the patch specifically for PowerPoint, since uninstalling that one didn’t solve the crash issue. Thankfully a refresh of my virtual desktop did the trick.

        1. Kent

          PP 2010 was crashing on all machines. I had to go through one by one of my security updates to figure out which one it was. After uninstalling this, the problem went away.

      2. Tarek

        You shouldn’t be using Windows Sidebar gadgets in any case. Since most of them are Internet-aware or Internet-connected, they’re windows into your computer. And the Sidebar itself is a system-level application, which means it has some elevated privileges.

        For these reasons, Microsoft suggests you stop using Sidebar in Windows 7 and Windows Vista. *supposedly* Windows 8 and Windows 10 are safe, but I doubt that they are. In any case, it’s always good practice to minimize the available attack surface and eliminate unnecessary services.

    2. Dave

      Thank you, your message saved me tons of grief and stress. Uninstalled the update and everything seems to work.

  3. Chris P Bacon

    Anybody else getting totally fed with Microsoft Windows?

    1. Darth V

      Totally. I will *not* “upgrade” to WinSpyware, er, Win10. All my machines at home have Linux installed, and I run that more often than Win7.

      Actually, I started getting real sick of MS after they took away the old VB language when .NET came out, yet continued to include it as the macro language for Office. WTF? Couldn’t keep the core language at least source code compatible, yet you still market it elsewhere? Talk about flushing millions of LOC from businesses all over the world just so they could force us to “upgrade” to the latest and greatest. Been wanting to get out of software development for a long time, and I see the light at the end of the tunnel a few years from now. Can’t wait, and can’t wait until I can leave MS behind for good.

  4. Nobby

    I think you got spellchucked, I believe you mean “bugs” rather than “budgets” in Windows.

    Keep up the good work!

  5. paul

    Hi Brain

    Can you add a link to where people can updated Flash player

  6. Matthew P Clements

    It looks like the Microsoft patches are also blowing up Office installations as well – so far I’ve have to repair three this morning.

  7. Eric

    Another option for Firefox users is to create a 2nd profile. One with flash enabled for those few things that need it, and one without.

    1. twinmustangranchdressing

      Is it possible two run two different Firefox profiles simultaneously? I wouldn’t want to shut down my primary profile and launch another one just to view a Flash video.

  8. Cog

    Microsoft Edge still has a shockingly bad habit of getting browser hijacked.

  9. Chris Thomas

    Malwarebytes Anti-Exploit (MBAE) should be on every Windows PC (XP onwards). The free version protects all common web browsers from web site borne exploits and this includes Adobe Flash over the web and also Java. Search “malwarebytes MBAE download”.

    I have no connection with Malwarebytes except as a beta tester and contented user.

      1. JCitizen

        @kjstech

        Probably not much different, as my last update yesterday declared I had to uninstall EMET to use Anti-Exploit. As buggy as EMET is, I didn’t have a problem uninstalling it. I trust Malware-bytes to write better code for this kind of protection.

    1. Eric

      Believe it or not, at our company they *required* us all to uninstall MBAM. The reasoning was because of licensing – MBAM is only free for non-commercial use.

      I asked whether it would have made more sense to purchase a license for the entire company, and at one point they apparently considered it. But some yahoo in IT snagged the money with the claim that they could block the malware at the firewall. I just have to shake my head – better than banging my head against the wall, I guess..

      1. Mike

        A very big portion of all this nonsense CAN be stopped at the firewall. The reasons this method often doesn’t work are associated with getting thwarted via software on machines behind the firewall that open ports, call home, reach across the net to specific servers, that are poorly coded, or are seen as “good” or “needed”. Blocking something at the firewall means that it doesn’t need to be blocked within all the machines (individually) behind the firewall. This process works best when the IT staff/IT admin actively monitors whatever that firewall does or does not filter out.

        A very important piece of this has more to do with all the money and effort put into advertising. There are other facets to ‘website optimization’ and the idea of being the first item to show up on a google search. NOT all companies actually “need” this.

        We all complain about all this problems but there are web coders among us that really should think about the monster THEY are creating. google syndicate is NOT a good thing. You can’t embed links to 3rd and 4th parties into external javascript files circumventing anti-virus/anti-malware software without creating problems. It is precisely THOSE 3rd and 4th parties that leave behind cookies that not only track and call up other servers at often bring in viri/malware. Filter THOSE out at the firewall and the problem is fixed (NO software to update). What happens though is that various adverting departments get all upset and threaten ‘law suit’ against anyone that actively filter these things out. This causes management to decide against filtering (when there is weak or no IT department). BYOD expands on these issues.

        It’s all just SOOOO much easier to handle on a home network. But, most home networks are had by people that are not knowledgeable enough to implement such things. Infact, current trends put ISP’s in control of more and more home networks via routers being built into one device with the modems.

  10. Nate

    Don’t install KB3097877 if you have a touchscreen either. Especially not if you are on a tablet. It is preventing login after the machine restarts from the patch.

  11. Dave

    Hey Brian, any chance you could do a writeup on permanently getting rid of Flash at some point? Since it’s built into newer versions of Windows, the standard uninstaller won’t get rid of it. I’ve tried all sorts of ways of scraping it out of the system, but it just keeps coming back. It’s like malaria, you deal with the symptoms and think you’re OK, and then suddenly it hits you again.

  12. Steve

    Microsoft apparently fixed the KB3097877 patch late last night and re-released under the same KB number.

    “This security update was rereleased on November 11, 2015 for Windows 7 and Windows Server 2008 R2 to resolve an issue where crashes occurred in all supported versions of Microsoft Outlook when users were reading certain emails.”

    https://support.microsoft.com/en-us/kb/3097877

    http://www.infoworld.com/article/3004441/microsoft-windows/microsoft-surreptitiously-reissues-botched-patch-kb-3097877-for-windows-7.html

  13. JCitizen

    Surprisingly, when I did the patch Tuesday updates, flash actually automatically updated all versions!

    That rarely happens!

  14. Ron

    The initial release of KB 3097877 on Windows 7 broke more than Outlook. For me it broke TeamViewer and RocketDock. I usually wait a few days on these updates just for this reason. I didn’t wait this time so I had to reload a C: drive image from last week. My elderly parent have updates automatically installed. What a mess. It took Microsoft a day and a half to fix the patch. After fixing they released the patch under the same KB number. How do I know which I have installed now?

  15. Dave B.

    Don’t know if anyone else uses Dell NetExtender, but the re-issue of KB3097877 seems to kill it’s ability to connect.

  16. bob

    I don’t know if it is related to KB3097877, but after Windows update ran yesterday, I wasn’t able to get Firefox to run. I did a system restore, and it worked again, so one of the updated hosed the windows plugin for Firefox. I am going to wait a few days before installing updates again, hopefully they will figure it out. It seems like it is time to start learning Linux …

    1. Likes2LOL

      bob wrote, “I am going to wait a few days before installing updates again, hopefully they will figure it out.”

      FYI, the Microsoft QA team works extra-special hard on Black Tuesday + Day 1 and Black Tuesday + Day 2… 😉

      “Band-Aid on a Band-Aid” illustration by InfoWorld at:

      Microsoft surreptitiously reissues botched patch KB 3097877 for Windows 7 | InfoWorld
      http://www.infoworld.com/article/3004441/microsoft-windows/microsoft-surreptitiously-reissues-botched-patch-kb-3097877-for-windows-7.html

      KB 3097877 crashes Outlook, causes network sign-in black screens | InfoWorld
      http://www.infoworld.com/article/3004519/microsoft-windows/kb-3097877crashes-outlook-causes-network-sign-in-black-screens.html

      1. Debbie Kearns

        I can see that you’re not the only one. Ever since I installed updates on Patch Tuesday, I can log into Facebook, but I can’t log out of it using Internet Explorer. Every time I try to log out of Facebook using IE, the computer ALWAYS freezes forever and crashes, so I am forced to manually shut down the computer and turn it back on again! This stinks! I’m using Windows 8.1, BTW. I can still log in and out of Facebook just fine with Google Chrome, but not IE.

        1. CooloutAC

          IE is the most unsafe browser, I would use firefox for random browsing, and chrome only if you need flash. Do yourself a favor and drop IE.

          On another note, I’m really upset that these drm streams, for example hbogo or starzplay, still use flash on the desktops. Is the pc’s getting left in the dust for android and ios? Amazon and netflix made the switch to html5 for desktop pc’s, what the heck is taking everyone else so long. Is it really a conspiracy to get everyone with a surveillance device(smartphone/tablet) in their bag or pocket? lol Or maybe it was Steve Jobs foresight in boycotting it, and all the other mobile devices followed suit. I But is using a desktop pc ancient history? I don’t like watching a movie on a little tiny screen, it gives me a dam headache and ruins my eyesight! lol

          Not only is flash such a huge security risk, but it is also horribly coded and bloated, and runs like crap on most machines and various platforms most of the time and makes these web designers look incompetent, why would they not immediately re-design their pages, they’ve had years now an flash just keeps getting worse and worse.

Comments are closed.