December 8, 2015

Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.

brokenwindowsThree-quarters of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning malware or attackers could use the flaws fixed in these patches to fully compromise vulnerable systems with zero help from users. What’s more, two of the vulnerabilities are actively being exploited, including a bug in Windows and Microsoft Office.

As per usual, a patch for Internet Explorer addresses a huge chunk (30) of the individual security flaws tackled in this month’s update cycle. Microsoft also released a critical patch to correct 15 weaknesses in Microsoft Edge, the browser meant to supplant IE.

According to security firm Shavlik, supported versions of IE will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. More information about this change is available here.

The SANS Internet Storm Center is reporting that some Windows users who have Outlook installed are experiencing some difficulties using the program after applying this month’s updates. If you use Outlook, it may be wise to put off installing this patch for a few days until Microsoft addresses the issue.

Another vulnerability — fixed by a patch for domain name system (DNS) servers that run on Windows Servers — could prove extremely dangerous for organizations that rely on Windows Server for DNS services. According to SANS, Microsoft rates the exploitability as “2”, but doesn’t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news if you are using a Microsoft DNS server exposed to the public internet.

Adobe’s Flash update brings Flash to version 20.0.0.228 for Internet Explorer and Chrome on Windows and Mac systems, and 20.0.0.235 for Windows and Mac versions of Firefox and Safari.

As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

This entry was posted on Tuesday 8th of December 2015 07:45 PM


42 thoughts on “Adobe, Microsoft Each Plug 70+ Security Holes

  1. Stratocaster

    It is a colossal bother that Adobe will be disabling their Flash Player standalone installer download page next month, forcing home users with multiple machines (and/or browser platforms) to go through the tedious Adobe Downloader process on each one of them. But no money in freeware, right? And it increases the chance of undesirable bloatware coming along for the ride if we forget to uncheck those boxes before downloading the downloader.

    Enterprise administrators have an alternative, but it requires some hoop-jumping.

    1. Moike

      Thanks Adobe for making it harder to stay secure! Having to revert to the stupid upgrade page for each system next year finally gave me the motivation to uninstall Flash from 2 systems. WINNING!

    2. Mike

      Can someone please explain to me what benefit there is to allowing us to download only a 1.1MB installer STUB, only to spend more bandwidth later for every machine that stub gets run on?

      Allowing me to download a 17.5MB installer once is less taxing on their servers for the 50 installations I’ll do with that one installer. What’s the stupid angle on these installer stubs, like what CNET and FileHippo tried to start using?

      1. Sasparilla

        The angle is pretty straightforward. Using the web installer Adobe can get some revenue by users allowing ad-ware to be installed via the web-installer.

        Simple as that. Best way, IMHO get rid of it entirely, but if you really need it use Chrome for your Flash only needs and one of the others (Firefox, I.E., PaleMoon etc.) for most of your browsing. JMHO…

    3. Chris Thomas

      Shows just how out of touch with the world the high-ups in Adobe are.

    4. Jean Watson

      The Adobe Flashplayer Distribution License Agreement wasn’t so hard a hoop to jump through – it’s not restricted to enterprise, and simply restricts redistribution outside intranets generally. To me that’s fair enough for any ware, even the egregious Adobe’s stuff.
      We have to use Flashplayer to receive national tv and radio offerings. As with others here, my home users either use a separate Mozilla profile that’s been set up for exclusive ABC streaming, or IE for Flash streaming if they know not to surf dangerously. IE and Flash is increasingly a smoother experience than with the Moz browsers, I find.
      I can’t trust all home users to avoid adware traps and prefer to guide all similar admin installs like these for the younger members of the household anyway; it certainly makes the process smoother to have a single install file from which to do these installs.

      I identified myself to Adobe as a home user managing an intranet comprising several Win machines and was supplied with a link that’s valid for a year.
      Time between Adobe validating my email addy and issuing of the download link was 5 minutes.

      Go to the following page to start the process:
      http://www.adobe.com/products/players/fpsh_distribution1.html

  2. Dennis Wright

    My Flash updated to 20.0.0.235 for Windows and Firefox 42

  3. Erik

    Ugh. I would get rid of Flash if only I didn’t need it to access VMWare vCenter Server. A million curses on VMWare for building their UI on the security nightmare that is Flash. Another million curses on VMWare because some of the people you really, really don’t want getting infected by Flash are the ones accessing vCenter. Ah well, running vCenter from a browser in a VM will have to do…

  4. Robin

    I run Firefox in Windows 8.1 and never (consciously) use IE at all. Would I still be vulnerable to flaws in IE? I mean, does Windows (or do some Windows apps) run ‘bits’ of IE that could be exploited even if the browser is not obviously running?

    1. Hayton

      Maybe. For instance, anyone with McAfee software should be aware that the McAfee user interface needs IE to be present in order to work correctly.

    2. CitizenX

      Yes exactly. IE is used all over windows. Windows update, the Help files that render HTML, Outlook Preview, etc. Best update that IE, no reason not to really.

  5. Likes2LOL

    Brian Krebs wrote,
    “…users who have Outlook installed are experiencing some difficulties using the program after applying this month’s updates. If you use Outlook, it may be wise to put off installing this patch for a few days until Microsoft addresses the issue.”

    As always, Brian, thanks for the heads-up on the availability of updates, and your steadfastly sage advice! 😉

  6. GM

    I removed Flash months ago and really haven’t missed it. Same with JRE.

  7. Andrew Rossetti

    Just a heads up. Update KB13114409 is causing problems with Outlook. On my system it caused Outlook to only start in Safe mode. Hopefully Microsoft will pull this and re-release soon.

    1. Robert

      Remove KB3114409 and reboot will fix the Outlook problems. The patch has already been pulled.

      1. Thomas Caldwell

        Had loads of fun with that one this morning… several people had it. luckily the article describing the fix was first google search. It was funny watching the comments go from 2 pages to 8 in only a few minutes.

      2. Bob

        Thanks to Brian, Andrew, and Robert for the heads-up on the Outlook problem. I never install updates until I check here. My Windows 7 Ultimate desktop will be OK since I don’t allow automatic installation of updates. Not sure what will happen with my wife’s new Windows 10 Pro Surface Pro 3.

  8. Mahhn

    I would like to remove Flash and Java in our work environment, BUT Cisco, VMware, and several business apps are built to need this junk because it was “easy” for the developers. Thank goodness they don’t make cars.

  9. Me

    I have disabled flash on Chrome, allowing it to run only when needed by right-clicking and running as needed. It has the added advantage that many of auto-play videos wont auto-play anymore.

    I also created a virtual machine with Ubuntu on it and use that for most of my browsing. I’m using Oracle Virtual Box to run the VM. It is quite easy if you are a little tech-savvy. Give it a try folks.

  10. Martin

    “Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software”. That’s without taking into account all the monthly updates to Flash that have preceded this particular update. To call this incompetence doesn’t even come close. If you deliberately tried to insert back doors into a piece of software, you’d be at best 2 orders of magnitude below that which Adobe has achieved without even trying. It’ defies comprehension.

  11. Bird

    For me, the latest Microsoft update that put my Outlook 2010 into Safe Mode was KB2687455, Microsoft Office 2010 Service Pack 2 (SP2), 32-Bit Edition. Uninstalling SP2, fixed everything.

    I didn’t even have KB3114409 on my installed list unless it’s wrapped within KB2687455 somehow.

  12. Charles

    Has anyone had any experience with EMET (The Enhanced Mitigation Experience Toolkit from Microsoft) which is supposed to help containerize threats related to Office, Java, Flash and others?

    It seems like it might be a worthwhile for those of use who need to use Java and Flash.

    1. Patrick Star

      EMET is a very good idea for Flash as well as web browsers in general.
      However, for Java the benefit is considerably smaller: It doesn’t help at all against the “popular” Java vulnerabilities as they aren’t memory corruption bugs. Instead they are logic errors that allow an untrusted applet to run with unrestricted access to the system. Also has the “bonus” that they are 100% reliable and even cross-platform. True nightmare.

  13. Steve

    I download the flash installer, get the 1.1M stub instead of the 17.1 executable, and when I run the installer, I get “Connection failed”. Nothing I’ve tried works on 2 different computers, so I’m wondering if there is something different going on with Adobe (this update).

  14. fred

    I stopped taking win updates to avoid getting win10 over my win7, and more importantly the win spying that comes with win10. what are win7 folks to do to keep their OS up to date?

    1. Joe

      I noticed yet once again (3rd time this year by my count) that Microsoft has tried to sneek in the Windows 10 upgrade. It was there again in this latest round of updates. It was listed under “Optional Updates” and was, as usual, already check marked for install when as a rule “Optional Updates” should not be that way. I had to uncheck it and “hide” it to get rid of it. It’s a shame Microsoft does this. You need to get the critical updates and just play close attention the “optional” Win 10 upgrade they try and force on you.

      1. Chip Douglas

        The WIN 10 update is a nuisance. I found a nice piece of software that deals effectively with this and I installed it several months ago with no problems. I am no longer bothered with the GWX icon or any downloads for WIN 10. For those that are interested it is called GWX Control Panel (previously named GWX Stopper) It is a free program that you can use with Windows 7 and Windows 8. Simple and works like a charm. You can find it here:
        http://blog.ultimateoutsider.com/2015/08/using-gwx-stopper-to-permanently-remove.html

    2. Darth V

      I turned off Windows Update as well to avoid Win10. Getting quite disgusted with Microsoft’s tactics to force upgrades. Win7 is officially supported until 2020, leave me alone! Basically, I’ll wait until after Patch Tuesday (MS’s normal monthly patch day) and check some reputable sites (Ask Woody, Windows Secrets, etc.) before I manually do updates. They’ll tell me what to avoid. Then I’ll typically only install the critical security updates and uncheck all the rest. But if they keep up their cr@p, I may just have to stop updating Windows altogether. That would work for me, as I dual boot with Linux Mint and run that 90% or more of the time. Eventually, after I find replacements for my Windows programs, I’ll just stop running Windows and go Linux full time.

      1. Sasparilla

        If you do some digging you can find the updates that bring this stuff onto your machine and uninstall them then keep them from installing in the future.

        Nearly all of them are not critical updates – which is something you really want to keep up to date with.

        Here is a link detailing the updates for the data monitoring that was backported to Windows 7 & 8 from Windows 10:

        http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

        Google will help you find the Windows 10 updates and you can go back to a secure Windows environment till the Linux switchover. Good luck…

  15. WB7ODY Fred

    Slacko64 6.3.0 http://01micko.com/blog/

    http://puppylinux-or-pcbsd.blogspot.com My tiny blog

    http://distrowatch.com 100s of Linux distributions written about

    Fred, you have to take care of your own OS survival. When microsoft is finished with Win7, you will either move on up to get Win10 and stay with Microsoft or move over to Free Open Source Software FOSS and have liberty.

    http://linuxmint.com Check out the live version of Linux Mint 17.2 Rafeala or 17.3

    Best wishes in your own computing choices, Fred
    Wb7odyFred

    10 minutes, 2 downloads, 1 usb flash drive. Move from windows to liberty FOSS, people.
    I am typing this from a laptop booted from a USB flash drive with Slacko 6.3.0 32 bit O/S. Logged on through wireless Wifi connection. You can have the same freedom, too. Yes, this laptop also boots Windows7 and PCBSD 10.1.2
    At some point in the future, lack of Win7 support will cause you to move to a different O/S.

  16. Joe

    Thanks Mr. Krebs for always providing us with your valuable web site! You are much appreciated! Merry Christmas and Happy New Year!

  17. Chris Pugson

    Malwarebytes Anti-Exploit (free version protects web browsers and associated plugins) is an excellent defence against Flash exploits.

    1. Chip Douglas

      I have used this in the past but I also run EMET. Now there is a conflict and Anti-exploit will not run with EMET enabled. I chose to stay with EMET.

  18. Heron

    KB3104002 (security update for IE 11) hung on our Windows 7 machine last night. I was able to install the rest of the updates this morning, and am going to try reinstalling the one that failed on its own this afternoon.

    Malwarebytes Anti-Malware seems to make it harder for our computer to install updates, for some reason. I stopped it from running before I installed updates this morning, and the process went much more smoothly than it has been since I started running the paid version of MBAM. I’ve read that the program can interfere with restoring a computer to an earlier state, too. Hm.

  19. Mike

    “Who’s still using Internet Explorer? And why won’t they upgrade?”

    A headline from ZDNET.

    I’ve been asking this question for so long, I can’t remember a time when it was any other way.

    1. Patrick Star

      IE isn’t any worse (or better) than any other major browser. Used to be quite awful in its earlier days, but MS has learned a thing or two since.
      (Writing this from Firefox on a decidedly non-Windows system, by the way…)

  20. haneen

    I’ve been asking this question for so long, I can’t remember a time when it was any other

  21. Likes2LOL

    FYI — Leo Notenboom offered this link to solution to Microsoft’s latest update SNAFU:

    Ask Leo! – Again? SIgh… https://www.facebook.com/askleofan/posts/10153319522237963

    ​How to fix Microsoft’s latest Windows 10 update blunder: nuked Office templates | PCWorld
    Microsoft pushed out yet another problematic Windows 10 update, and it erases customizations made to the ‘normal’ template in Word 2016.
    http://www.pcworld.com/article/3018001/consumer-electronics/how-to-fix-microsofts-latest-windows-10-update-blunder-nuked-office-templates.html

    “If you use Word 2016, the latest version of Microsoft’s word processing app, and install the company’s most recent Windows 10 patch, the update wipes out your “normal” template. That little file, named normal.dotm, is important because it contains all of your macros, autotext blocks, autocorrect entries, styles and more customization options. If that normal.dotm file gets nuked, all of your tweaks and customizations are erased, and you need to recreate them, which is a major pain for folks who use heavily customized templates. Word still works, but the software reverts to its default settings.”

Comments are closed.