Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software.
Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.
As per usual, the largest share of flaws fixed are in Microsoft’s browsers — Internet Explorer and Edge. Also included in the mix are updates for Microsoft Office and .NET.
According to security firm Shavlik, several of the vulnerabilities fixed with this Microsoft patches were publicly disclosed prior to this week, meaning would-be attackers have had a head start trying to figure out how to exploit them.
As part of a new Microsoft policy that took effect in October, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update — will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible).
It’s important to note that several update types won’t be included in a rollup, including those released for Adobe Flash Player on Tuesday. The latest update brings Flash to v. 24.0.0.186 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.
The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. According to analysis released this month by Recorded Future, Adobe Flash vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016. Exploit kits are automated tools that criminals stitch into the fabric of hacked or malicious Web sites, so that visitors who visit one of these sites with an outdated version of Flash in their browser can have malware silently installed. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.
Image: RecordedFuture
If you choose to keep and update Flash, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.
As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.
I’m still running Mac OS X Version 10.6.8, primarily so that I can continue running OS 9 programs. First Chrome stopped supporting this version, then Firefox and now Flash no longer supports versions before 10.9. Time to upgrade!
don’t bother upgrading until apple offers better desktops and laptops that aren’t just the same thing as last years models but with a touchbar added to it for an extra $299.00.
PFfft. they used to say think different, but now they just need to think harder.
ain’t nobody got time for touchbar!
¯\_(ツ)_/¯
I won’t buy another Apple product until they stop soldering RAM onto the motherboard and use non-proprietary storage. The last MacBook Pro that didn’t do either was the 2012 model. With maxed RAM and an SSD it has no problem keeping up with the gluebooks in most real-world tasks. As an added benefit you can use all the existing thunderbolt peripherals instead of being restricted to just the new overpriced USB-C ones.
Kind of sad that the only models Apple makes with expandable RAM now is the 27″ iMac and the Mac Pro, models which only still have expandable RAM because Apple has forgotten that they exist. The 21.5 iMac had replaceable RAM until they realized users were opening up Apple’s hardware to install RAM instead of buying a whole new system, which Apple put a stop to by switching to soldered on RAM (ignore their claims that its done for power management – iMacs have no battery to manage).
The 21.5″ and 27″ iMacs have replaceable storage if you opt for a HD, but the Mac Pro is proprietary storage all the way. Couple that with the outdated GPUs in a proprietary form factor and a ridiculous price and Hackintosh systems start looking like the only sensible option.
Adobe no longer “supports” the latest version(s) of Flash on Mac OS 10.6, but that doesn’t necessarily mean that those recent releases won’t RUN on Mac OS 10.6.
In fact, they do. I’ve been able to run all the variants of Flash v23 since it was released, and today I successfully installed Flash v24.
Based on admittedly limited testing, Flash 24.0.0.186 also runs fine on Mac OS 10.6, at least for simple stuff, just like its predecessors.
Big bundle of Apple updates, too…
There’s also an update for Adobe AIR, and if you’re not inclined to accept their stub installer from the main download site, here’s a link to the official webpage where the full download is available for all the various OS flavors:
https://www.adobe.com/products/air/runtime-distribution3.html
Another Microsoft flop – there have been many complaints from users in Ten Forums and also in the Microsoft Community that the KB update keeps sticking at 95% eg
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-kb3206632-stuck/394260ce-3137-4089-8571-859cae8927df
There are some workarounds there but one isn’t available to Windows 10 Home owners. Farce!
That update froze on my machine after it tried to install a second time. According to Microsoft it is to patch a vulnerability in AMD systems. I have nothing AMD on my system so why didn’t Microsoft do a scan to check for compatibility? I managed to avoid the mess and the update is now hidden. A lot of people have had their system trashed so hanging up at 95% is better than having your system trashed.
To hide bad updates search for a file named wushowhide here: https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/downloadwushowhide/31b63f5b-c521-4af9-be57-768570524cb1
You sure it’s about AMD systems? A lot of windows stuff says AMD64 when it really means all 64 bit stuff, including all intel.
The reason is because AMD beat Intel to the consumer 64 bit CPU race, so ever after it’s now branded that way internally for windows.
Try searching windows folder for *AMD
You’ll see a lot of hits.
One niggle about the advice on patching Flash and Internet Explorer — if you don’t normally use IE, then remove the ActiveX installation, even if you do use Flash in other browsers.
There’s no point in having to continually update the ActiveX installation of Flash, if you don’t use it.
JimV also mentioned AIR. I haven’t seen specifics of this particular update, but some portion of AIR updates mirror Flash updates (and include security updates).
As awful as Flash is, AIR is even worse, in that developers of applications that don’t go through browsers use AIR to provide animation. Even if Google and the other browsers can eventually push web developers to eventually abandon Flash, I’m doubtful that there will be parallel abandonment of AIR.
Both October’s and December’s W-7 updates offered separate packages for .NET Framework. Historically (prior to Oct 2016), you advised installing .NET Framework updates separately / after installing other updates. Under the new regime, that option is still available.
My experience on a few machines with different flavors of W-7: no problem with December’s updates either installing them in one swell foop or installing the .NET Framework updated separately / subsequently. YMMV.
A friend uses Windows 10 and it automatically installs updates, period. No more waiting to see if the install is buggy. And now my friend is in a daily install grind.
Every day for two months now, Windows has been installing the same massive update, rebooting the computer to finish the install, failing at 99%, undoing all the update changes, then letting her log in. A lengthy process. And there’s no way to stop or skip the install.
The Windows 10 update killed Ccleaner, and good lord, I found CVE-2013-3893 in my computer, put there in October of this year.
The Windows 10 update killed Ccleaner.
then use the portable version, or re install it. ¯\_(ツ)_/¯
it’s right here.
https://www.piriform.com/ccleaner/builds
Hey Krebs.
I have a Win 7 machine. I was pretty peeved about microsoft’s dishonesty with the Win 10 spammy, deceptive rollout. As that continued I installed Mint 18 Sarah Cin, and began to install my necessary software.
It is really good. I was surprised at how quickly I’ve made the transition to almost full-time Mint use.
I’ve set up a virtual box to run the win programs I can’t find a Linux ver for, and that’s been working well.
Not all easy-peasy. Having to learn stuff. But the balance point between the two is learning power in Linux or suffering in Windows… I choose learning & power rather than dependency, deception, and now, out and out incompentence by Windows.
Oh, and the security mess that’s Windows is now a thing of the past… NO Windows, NO AV!
Soon the Krebs will publish his Win Update pages with a suggestion to get rid of BOTH Windows and Flash!
(At least a dual-boot… haha)
Do it Krebs! Do it NOW!
Happy Digital Trails!
Alex what a great idea to implement mint Linux 18 .1 cinnamon browser don’t worry about antivirus. Or install clam AV tool for Linux. http://WWW.linuxmint.com.
Create your own bootable USB flash drive installing Linux Mint 18 .ISO file using USB writer tool http://etcher.io or http://Rufus.also.ie. Then Test drive Linux Mint 18 as a live Linux with out installing to hard drive. What do you have too lose? You can learn about A Linux Mint without changing your present Windows install. Just change the drive boot order selection to boot for USB before booting from hard drive. Checkout my web link for more detailed instructions. Fred
I have an idea.
RFIED microchips are solution then no more fraud.
Its most safest way to protect your family and loved ones!
@ so lets get chipped.
Then no problems. Nobody cant steal from you your money is always with you under your skin !!
How do you install patche(s) for Firefox?
And thank you Brian for all you do. Wow!
H
You mean for Flash? Simply visit the Flash updates page using the Firefox browser.
I went to check after seeing this newsletter, and Adobe was already updated – once in a while the auto updater actually works. Just check your version number in the programs list, and you might not need to update. I still use the two version for IE and Firefox. I just have too much trouble getting my favorite sites to load without them. Both were auto updated.
My online broker uses Adobe Flash. So does my internet provider for webmail. I can’t bail.
Tell them to stop. Even Adobe acknowledges that Flash is on the way out. They need to change or else they’ll lose business.
December 2016 Security only update for Windows 7 SP1 (you have to use I.E. for this, most folks will need the x64 – 64 bit – version):
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=3205394
December 2016 Security only update for Windows 8.1:
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=3205400
One more note – for the download to function properly you need to be using I.E. and you have to be logged in under an admin account (just running I.E. in admin mode won’t do it).
Those who want the prior updates just Google for the correct month with the description as I’ve listed above and you’ll find them for Nov and Oct.
Good luck Guys. Security only updates on Windows 7 goes till 2020 and 8.1 goes till 2023 if memory serves.
For Windows 7 users who continue to have difficulties with automatic updates, http://wu.krelay.de/en/ offers information about effective ways to fix the problem.
Basically it advises the user to install KB3177467 and then KB3172605. I keep these in my toolkit.
Not for publication. Request for advice.
First of all, thanks, Brian, for your great website.
Perhaps you might find time to clear up update problems with Windows 7 (Ultimate in my case). It has become impossible to install updates. And I have noticed I’m not alone. The Internet is full of requests for help. I’ve followed the advice and peformed complicated surgery on my machine. I have tried a whole number of Microsoft fixits. All I get for the effort is Error 0x80070005. Nothing has helped. I did two complete fresh reinstallations after new formatting. No go. Just SP1
It appears to me you’ve mentioned the problem in passing (e.g. monthly rollups, etc.), but have not gone into any depth. If you have, and I missed it, then I bet your pardon.
I’m worried. Friends of mine, for example, have been unable to install updates ever since August. Surely there can be no talk of security if updates for virus-prone Microsoft products are no longer available. I would switch to Linux in a second if I didn’t have so damn many Windows programs.
So perhaps, sometime or another you might explain to us readers just what’s going on.
Again, thanks for the job you’re doing.
Gordon Gillespie
Never imagined we’d do it, but we’ve pretty much walked away from MS products. (shrug) Just fleeing from their “herd em into the killing chute” mentality.
Public software isn’t as good, and some features are missed – but life doesn’t end without MS.
One bonus? It’s a *lot* easier to keep these boxes running than it ever was with MS hardware. No comparison. Not just the updates either. When something breaks, you just pull the drive – then transplant into replacement hardware. Try doing that with an MS system…..
Indeed, WD.
I’m probably not doing the same type of work as you, but I agree that life is much more pleasant without the Color Crayon team messin’ with my world.
KjK
Flash is awful, and set to “manual enable” everywhere, but I keep it as a few rare sites which I can’t dispense with (yet) that won’t work without it.
I did scrap IE several years ago back in the day there was apparently no way whatsoever browser Java applications could be effectively disabled in that browser, no matter what the documentation said. (And I eventually scrapped both the JDE and JRE, somewhat to my chagrin).
Quite often sites which are otherwise “clean” will cause the “enable Flash” message to show. I can’t figure out what element on the page causes this, I guess this might be shown with advertising.
Flash is also bloatware.
1) It gets updated automatically with Chrome
2) I must update it manually for Firefox
3) It also gets updated with Windows (why, if I discarded IE?)
So there are three copies of that software floating permanently floating about. Why?
And every single [***] time I update Flash it keeps on asking whether they can offload their [***] Crapware onto my machine.
And every single time I update Flash it also tries to catch me unawares by preselecting the “automatic update” box.
@G. Gillespie
December 20, 2016 at 7:57 am
The best Microsoft Volunteer for the help you and others need is
Canadian Tech. You’ll find him @https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c?page=1