Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.
One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.
Microsoft has more details on and links to the other two patches — rated “important” — at its Security Response Center blog. The updates are available through Windows Update or via Automatic Update. The software giant chose not to address an Internet Explorer vulnerability that hackers have been exploiting since late January, although the company has issued a stopgap “FixIt” tool for that flaw.
In other news, Apple has released an update to iTunes that corrects more than 50 security vulnerabilities in the Windows version of this software. That patch bundle is available from Apple Downloads or via the Apple Software Update program that now comes bundled with iTunes and other Apple software for Windows.
I’m a bit behind in reporting on important updates to Adobe’s Flash and Shockwave players that fix a load of problems with these widely-installed software packages. The Flash update bumps the player up to version 10.2.152.26, and plugs at least 13 security holes on both Windows and Mac installations. To check which version you have installed, visit this page: There is a decent chance that Adobe’s built-in updater has already prompted you to update this program. If your version is lower than 10.2.152.26, it’s time to update.
Updates are available via Adobe’s Download Center or directly from this page. The latter option avoids Adobe’s obnoxious Download Manager, which may prompt you to install additional software that you don’t need or want. Remember that if you are using both Internet Explorer and a non-IE browser like Firefox or Opera, you will need to install Flash twice, once with the IE ActiveX installer, and again with your other browser. Google Chrome users should already have this version of Flash deployed (but do take a second to check this page to make sure you have the right version, just in case).
The critical Shockwave patch brings the player to version 126.96.36.1990, and addresses at least 21 security holes in the program. But readers should check to see whether they even have this program installed before installing the latest version. If you visit this link and see a prompt to install Shockwave, then you don’t have the program. If you do have it installed, you should see a version number beneath the Shockwave icon. Updates are available for Windows and Mac versions of Shockwave.
Update, Mar. 9, 8:31 a.m. ET: It seems that many readers already have an even newer version of Flash installed, v. 10.2.152.32. I checked with Adobe, and they confirmed that this 10.2.152.32 is in fact the latest version, although it contains no additional security fixes. More information on the .32 update is available here.
The Flash page says I have version 10,2,152,32 installed. In the past couple of days, I was prompted by the program to update it.
Anonymous- what browser are you using? Would it be Chrome by chance?
I have firefox and also have 10,2,152,32.
Adobe is looking into this and said they’d get back to me asap with an answer. Stay tuned!
My Snow Leopard iMac shows 10,2,152,33. I updated a few days ago.
Ok, the mystery of the new Flash update (10.2.215.32) is solved. Adobe came back with this note, which says .32 includes video fixes, but not security updates.
“The Flash Player 10.2.152.32 (Windows) and 10.2.152.33 (Mac) releases are addressing only video-related bugs—they do not include any security fixes.”
Emmy Huang, Group Product Manager for Flash Player, just posted the following to the Flash Runtime Blog:
Flash Player 10.2.152.32 (Windows) and 10.2.152.33 (Mac)
Between Incubator and the 10.3 release, we FORGOT to post our first release update to the Runtime Releases blog. Sorry for the confusion, and the release notes will be updated this week.
Flash Player 10.2.152.32 (Windows) and 10.2.152.33 (Mac) addresses critical bugs, primarily related to video hardware acceleration:
* Windows users with systems using NVidia Optimus technology which has two GPUs that switch dynamically depending on the graphics operation would occasionally see a black screen when trying to view video in fullscreen (2745863)
* On Windows systems, AMD/ATI GPUs would not engage hardware decoding while watching H.264 video, causing a decrease in performance (2806826).
* Browser tab operations, such as switching between tabs playing video or closing many tabs displaying video, may have caused rendering problems or even a crash (2801091).
* Attempts to upload multiple files from an Apple Macintosh computer would fail due to a disk write error. However, on Mac OS 10.4 and 10.5 systems, users may continue to find a limit on the amount of data they can upload at one time (2812090).
I cannot find the Flash update for PowerPC based MacOS X on the Adobe web site. Was it officially deprecated by Adobe? Or perhaps I am not looking at the right place?
They were supposed to End of Life that some time ago. I had a recommendation to certain clients to use hardened, PowerPC Mac’s to avoid viral infection. I told them to switch to x86 in a year because Flash would be EOL’d by then. I guess they kept it around longer than planned.
I’m using K-Meleon 1.6 and getting version 10,2,152,32, too. The about Flash page currently quotes .32 as being the latest ver.
Yep. That may be the latest version, but I can’t see an advisory for it, so it may not contain security updates.
I am still checking with Adobe, but I can’t find any details on .32
Both my plugin and active x are versions 10.2.152.32. Neither Secunia PSI or File Hippo are indicating any higher version.
I’m running IE8, Chrome, and Mozilla; all three fully updated. This in Vista Home Premium x64.
On Windows 7 (HP 32bit): With Chrome the Adobe flash page says I have 10.2.154.12 installed, Firefox reports 10.2.152.26 for the same page. Secunia PSI reports 10.2.152.26 for both ActiveX and NPAPI versions (and no updates)
FileHippo reports that 10.2.152.32 is available for bot IE and non-IE versions.
Hip, hip… geddit?
This endless nonsense is one reason I prefer Linux. One update to everything and you’re done.
Eats Wombats: I believe Chrome has its own version of Flash bundled; I have noticed that Flash is always 10.2.154.x in Chrome, whereas it’s 10.2.152.x in Firefox, Safari, and other browsers. The Chrome-bundled Flash appears to be on its own track. It does make it a pain to know whether you’re vulnerable or not!
There is a plug-in checker somewhere, that I used the day I saw this article, I don’t remember where, perhaps the link is in the article above. I must admit, I’ve never used it on that browser, because I can only use Chrome on the Admin account, and have not had any trouble with it.
That plug-in checker will look at all extensions and either report their health or offer a research button, for the ones, it doesn’t cover. Seems like I’ve used it before for any of the big three browsers.
Do you mean the Mozilla plugin checker?
It works on only some of the plugins, but it’s better than nothing. Secunia or Filehippo would give more thorough coverage.
Yes! That is the one. It works for quit a few browsers and plug-ins, in my experience.
I didn’t recognized it because they changed the page – it used to have a nurse cartoon but now uses a raccoon. =D
Thanks for taking the time to do this breakdown of the updates, it was very helpful.
Krebs, you’re worth your weight in terabytes for all the poking around you do and the time and energy you burn chasing down approbate links and comments for so many folks you’ve never met. Too bad Redmond and the software vendors don’t have your user security concerns.
The Shockwave version for Apple OS X is 188.8.131.520 (as correctly reported in the article above for that platform). The same version was released as 184.108.40.2060 for Windows. Probably just a typo on Adobe’s part, but those are the two correct version numbers. http://blog.sharpesecurity.com/2011/02/10/adobe-shockwave-player-version-11-5-10-620-released/
David, when I go to the Shockwave test site Brian mentions above I get no prompt to install, and the animation is a grainy kind of blur.
Below the animation is a “Test Your Adobe Flash Player Installation” link.
Does this suggest I don’t have Shockwave on my Snow Leopard system?
I am also running Snow. When I go to the Shockwave link included by Brian, I see text that says: “Missing Plug-in” when I cue it up using Safari.
I have never installed it and have no plans to do so. Since I didn’t install it, when I pull up that page using Firefox, I get an image with text that says, “Click here to download plugin.” I see the grainy animation you speak of when using Firefox.
If you see either of these, Shockwave is probably not present on your system.
My post this morning described my experience with Opera. Tried it just now with Safari and Safari is completely hung up with the Adobe screen not showing anything in the animation box. Can’t shut down Safari or report bug.
What is the best method to auto-deploy third-party updates like these? We are moving from Novell to MS Server 2008 soon…
Wash-rinse-repeat…gotta break this security insanity cycle we’re caught in at some point.
Don’t Tell me Tuesday – That you Screwed me Monday!
Some dude in Russia – Took all my Money!
Don’t Tell me Tuesday – That you Screwed me Monday!
He bought a Rolex – And a Brand New Hyundai!
Thanks once again BK for the direct link to the Flash installers. Adobe should just let users download those installers directly to begin with instead of foisting their DLM garbage on them and deliberately hiding the direct links deep within their support pages.
Also it should go without saying that to keep up with all of the patches, consider using Secunia PSI on your home Windows system. (And they even directly link to the Flash installers too without the bloat.)
I wished webmasters would switch to silverlight; I never have any trouble with it, and it works better than cr@ppy flash any-day!
Have there been any problems with the MS updates (other than Win7 SP1, which probably should be skipped for now)?
I had an interesting problem on XP update with MS
update. It just quit when it said it was installing updates… never happened before. When I went to update it doesn’t show any missing patches. Any help
in finding out what patches I need would be appreciated.
Keep up the great work!
Have you tried visiting Windows Update, letting it scan, and then going to “custom” (that is, you drive, not microsoft) and check installed updates or update history? that will tell you if any updates failed to install.
Thanks – I checked and no updates for March applied.
Just for the fun of it I did a cold boot and logged back in
as administrator – after coming completely back up a
message appeared that all the patches had been installed.
And yes, history has been updated showing all patches
installed. Your guess as good as mine on what happened.
Good Ole Microsoft!
Thanks again for all the great info you provide!
The Microsoft Baseline security analyzer is supposed to be able to tell you the health and completeness of your updates. I’ve used it with success in that regard. It will usually point you to a solution for irregularities it detects.
Some folks like Bel Arc Adviser also.
Secunia PSI will let you know about updates you need also! I just got a surprise in some .NET updates I needed and silly Vista auto-update never caught. That last big round of MS updates seemed to hose my browser performance, but that .NET update seemed to do the trick!
I’ve noticed a continuing cycle of bad updates from MS that reduce performance or break something every other update cycle, then a new update comes out to fix the problem. I am getting tired of being Microsoft’s test laboratory for their patch cycle!
I don’t have the luxury of not accepting auto-updates because I have a cable compliant system, and the DRM will shut me down if I don’t receive all updates.
For those running the RockMelt web browser, which is based on the Chrome engine, it was just updated and now incorporates Adobe Flash version 10.2.152.32.
I am trying to use Apple Software Update, which I’ve used successfully in the past to update iTunes, and it consistently stalls out during the download, though not always at the same point. Is there another way to get the update? I’m afraid of downloading the whole program anew–would this mess up my music and iPod? Would I have to uninstall first?
If I let the Update program go long enough, it tells me “Errors occurred while installing the updates. If the problem persists, choose Tools>Download Only and try installing it manually.” But where is this Tools menu?
iTunes 10.1.0.54, Win XP SP3, Windows firewall, Symantec Endpoint 11 (turned both of these off even though they’ve been on the computer through past iTunes updates)
My inability to update my iPod Touch from 3.1.3 is another matter!
Did you try downloads manager v. 2.4.1? They have that at the app store. They may have others too!