Microsoft Corp. and Adobe Systems each released security updates on Tuesday. Microsoft issued two “critical” patches that address one security flaw apiece, while Adobe’s patches fix a whole mess of serious vulnerabilities in its software.
One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.
The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.
“Like the ATL issue last July, we could see many vendors supplying their own patches to address this vulnerability,” said Jason Miller, data and security team manager for Shavlik Technologies. “This is just another important reminder that patching is not just a Microsoft issue when it comes to software vulnerabilities.”
As always, the Microsoft patches are available through Windows Update or by enabling Automatic Update.
Adobe issued patches to fix security problems in its Cold Fusion and Shockwave Player software packages. Most end users will only have to worry about the Shockwave update, if that. The Shockwave patch fixes at least 18 security vulnerabilities in the commonly-installed media player application, on both Windows and Mac systems. Adobe has assigned the bugs an aggregate “critical” rating, meaning that an attacker who successfully exploited the flaws could seize control over an affected system.
Here’s a way to test whether you even have Shockwave Player on your system: Visit this page. If it says you need to install a missing plugin, then you don’t have Shockwave Player installed, and you probably don’t need it. I haven’t had it on my main PC since I bought the thing more than a year ago, and apparently I haven’t missed it.
If that link above shows that you do have Shockwave Player installed, it’s time to update it. The flaws are in Shockwave Player version 11.5.6.606 and earlier. Adobe recommends that Shockwave users actually uninstall the program (Windows users can do this via the Add/Remove Programs menu), and then reboot before attempting to install the latest, patched version, v. 11.5.7.609, available here.
There is definitely some inconsistency with the shockwave upgrade issue. I went to the web page you provided to see if I had it installed. It shows that I have version 10 installed and the table on that page says that the versions shown in the table are the last versions. The version shown in the table is version 10. So I went to the addons section of my browser to see there was an update to shockwave – no updates which means that Adobe hasn’t pushed this to Mozilla yet. Adobe has not very much to push this update. In fact, I didn’t know about it until I read this article. Adobe needs to do better by its users.
Last time I wrote about Shockwave, I included a bit of history to the difference between Flash and Shockwave Flash in Mozilla. It may or may not be applicable in your situation, but I thought it might be useful to some here.
http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/
OK, help me out here, Brian. As I understand it, what shows up in Firefox Add-ons as Shockwave Flash is acturally plan old Flash, and as such the number you showed — beginning with 10 rather than 11 — is the number we should match with what appears in Firefox Add-ons as Shockwave Flash.
Indeed, when I tried to do an update through Firefox this nominative Shockwave Flash showed up as being up-to-date.
This is why we need you, Brian. A problem that gives many of us brain hemorrhages you solve by cutting through the very knotty Gordian knot.
And, guess what: before I checked out your explanation I actually downloaded Adobe Shockwave, a program I had deleted from my computer when you recommended we ditch the buggy thing. I had figured that if Firefox ain’t going to fix it I better install it, so as to keep track of it.
Anyone have a used Mac to sell?
– David
To uninstall older versions of Shockwave you may need Adobe’s uninstall tool. It can be downloaded from
http://www.adobe.com/shockwave/download/alternates/
(scroll down to Shockwave, and click on the Uninstaller).
Even so, Secunia PSI detects remnants of old Adobe versions scattered about the hard drive. These must be marked as system or something because they can’t be deleted.
I’m confused. After installing the Mac PPC version, Safari (plug-ins) and Apple’s test Web page shows, “Shockwave Flash 10.0 r45 — from file “Flash Player.plugin” installed, but the plug-ins pages also shows, “Adobe Shockwave for Director Netscape plug-in, version 11.5.7”. What am supposed to see?
According to Adobe’s get page, if you have Shockwave Player, the current advertised version is:
Adobe Shockwave Player version 11.5.7.609
(That’s the Adobe Shockwave for Director Netscape plug-in.)
I’m not sure if your 11.5.7 is the same as the 11.5.7.609, I believe it is.
The Shockwave Flash 10.0 r45 plugin you have is Adobe’s *other* plugin, the current version of which seems to be 10.0.45.2, you can check to see if that plugin is current by visiting http://www.adobe.com/software/flash/about/
Thanks, I’m current. I don’t uninstall any previous versions with new versions, and it doesn’t seem to mind. It only checks if your browser is open. It won’t install if it is, so you have to reinstall after closing the browser. I always reboot after any application update or installation as a matter of practice. I don’t use Flash player as I have Flash CS4 with its own player where the different version numbers arise.
I’m wondering if all Adobe Flasher users should send Adobe a small donation? Every time an Adobe download is required, I must be alert to uncheking the toolbar offer.
With all the money Adobe charges for its application suites, no way! Besides, I cannot recall an Adobe product ‘offering’ another product’s toolbar recently. Perhaps you’re referring to Java updates? What with their ‘offering’ the Bing toolbar, OpenOffice.org, etc. In any case, we have to be diligent. Don’t just click, Next, Next, Next.
This is yet another reason why I wish Apple would simply not only dump Flash, but Adobe as well. The only Adobe flash on my system is the Firefox plugin. I wish FF would dump that or add some other type of program to do what Flash does on a Mac. I only use Firefox because I don’t want to see ads jumping and blinking, so I use No Script to block all I can. When I hit the “Find Updates” button for plugins, it tells me that my QT plugin is out of date, it constantly sends me to QT for Leopard, but I am using Snow Leopard. According to Apple, I have the correct version of QT for Snow Leopard.
Adobe/Macromedia or Flash/Shockwave, what’s in a name?
I wished webmasters would go to silver-light or anything but Adobe. I get tired of the longer and longer periods that they leave that utility in vulnerable standing.
Not even mentioning the confusion they cause the public. Java is not much better, but at least they update for vulnerabilities pretty well now.
For those of you confused whether you need a new version; I’ve had really good luck with File Hippo’s free update checker. They even let you know if you want to try a beta version; and they only point you to the version you need for your particular installation. This way, there is no fussing about which Windows OS you are using, and whether you are getting the proper update.
This lightweight free utility actually jumps the shark on Secunia PSI much of the time. This gives the user several days head start on zero day vulnerabilities, and can keep malware from taking control of your PC.
As is stated in Brian’s article – you may have to uninstall the previous version, but I load the new one first. I can always see the older version in the add/remove programs applet, and uninstall it next. Getting older or unsupported applications off your PC is critical to PC safe practices. Secunia PSI will even point to end-of-life programs, and these should always be uninstalled,removed, or deleted.
thank you for the link differentiating flash player from shockwave player. a friend of mine told me about your blog about a month ago. i’m learning a lot from it and the comments. i’m not a computer expert by any means, but i do want to learn more and be safe. where could i get a list of the programs you think are unnecessary?
Incidentally last week Foxit Reader sneaked in an update. There is now a “Trust Manager” among its preferences to block the launch function (or at least I hope it does).
Adobe had an update message for Shockwave on my computer this morning. I clicked on it and it downloaded and installed the latest version. It did ask if I wanted a Google toolbar after downloading. But, it did not require removing the old version or rebooting. Add/remove programs shows only the newest version. Very simple. Maybe their notification process has improved?
I believe Adobe has a new download manager that does make life somewhat easier. Plus the fact that the installation utility removes some previous versions, but not all of them.
Adobe AIR (whatever that is) and Adobe Updater appeared unbidden on my computer with some update. This prompted me to uninstall every scrap of Adobe from my computer. After running the jv16 Registry Cleaner, I made a fresh “offline” install of Adobe Flash from a downloaded file.
Part of my reaction is conditioned on the fact that when you install Adobe Reader, you get AIR and Updater (and who knows what else). The total installation exceeds 100 MB. Pure bloat.]
Compare that to Sumatra PDF Reader — less than 2 MB. The Sumatra install file will fit on one floppy. Imagine!
If it does not completely remove all parts of the older version, then it sucks. You might still have a vulnerability that be useful to some criminal.
Dear Solo Owl;
This is why I like Secunia PSI so much. It points to files that may be left behind and could be used to compromise the PC.
I use the file path to go delete the offending remnant and then run CCleaner registry cleaner just to be sure. Then reboot.
JV16 would be better; I just haven’t had to money to purchase the lifetime license. I will do it ASAP!
In addition to jv16 Power Tools, Macecraft also has the free Power Tools Lite. It is not configurable and tags much less for deletion; you can’t harm yourself. It is eminently suitable for nontechies.
CCleaner, like every Registry cleaner I have used (except jv16) has seduced me into removing something that some program needed. Also, CCleaner, on its main pages, offers too many options for the casual user. Its defaults are too far-reaching for me.
Quote: “If that link above shows that you do have Shockwave Player installed, it’s time to update it. ”
Surely that should read:
“… it’s time to delete it.”
There is effectively zero need to have it installed, so get rid of it and avoid having the pointless headache of needing to keep it up-to-date.
I have Microsoft Vista Home Basic edition and Microsoft Office 2007.
I had to turn User Account Control off to install the Microsoft Office update. With User Account Control on, the update failed with error 646.
6/2/10
Brian,
As I recall, the Secunia Software Inspector, admirable and convenient as you state, requires Java’s JRE to work. But, for the record, don’t you also find JRE often to be a target of security issues, so much so that you recommend purging JRE from one’s system if possible? I would appreciate your thoughts.