August 14, 2012

Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.

The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Nevertheless, the underlying vulnerability being targeted exists in Windows, Mac and Linux versions of the software. Windows and Mac users can grab the latest version (v. 11.3.300.271) via the Flash Player download center. Be sure to uncheck the “free” software scans that Adobe loves to bundle with updates, such as McAfee‘s obnoxious Security Scan Plus, if you don’t want it. Linux users should update to v. 11.2.202.238, and Chrome users who are at Chrome v. 21.0.1180.79 (click the wrench icon in Chrome and select About Chrome to see your version number) should have the latest Flash update, which for Windows Chrome users is. v. 11.3.31.227. To find out what version of Flash you have installed, visit this page.

Adobe also pushed out a new version (v. 10.1.4) of Adobe Acrobat and Reader that corrects at least 20 distinct security vulnerabilities in Windows and Mac versions of these products. Windows users can grab the latest update from this link, and Mac users from here. Those looking for links to Adobe Acrobat updates and support for older versions of Reader should check the advisory that the company issued today for more information.

In addition, Adobe released an update that fixes at least five critical flaws in Windows and Mac versions of its Shockwave Player software. If you have this program installed, update it. If not, forget about this patch, as you probably don’t need the software. The latest version is Shockwave Player 11.6.6.636 and is available via this link.

At the top of the heap of security updates that Microsoft released today is MS12-060, which fixes a vulnerability in Microsoft Office that is already being exploited in the wild.  Other high-priority updates from Redmond include a patch for a flaw in the Remote Administration protocol of Windows networking, and an Internet Explorer update that fixes two security holes. More information on the Windows patches is available from Microsoft’s Security Response Center and from Qualys.

Microsoft patches are available through Windows Update or Automatic Update. As usual, please leave a note in the comments section if you experience problems applying any of these updates.


57 thoughts on “Critical Security Fixes from Adobe, Microsoft

  1. fastoy

    Chrome updated to Chrome 21.0.1180.79 m with Flash 11.3.31.227 That’s the PPAPI (sandboxed version).

    1. mīkbee

      Chrome constantly updates not that there’s anything wrong with that … and now since 7/31/12 update my Win 7 Pro laptop (old AMD X2) cannot cope. Runs Chrome like a bad stop motion animation film. Hesitates. Pauses. Hangs up. Ugh… back to the Fox. Unless any of your bright Krebs fans have suggestions?

    2. Marc

      Yes, Brian needs to update this to reflect the fact that, on Windows at least, 11.3.31.227 is the latest Flash for Chrome users. Interestingly, Adobe is wrong in reporting that the “300” series of Flash is the latest in Chrome. They said this both in their security bulletin and its on their “tester” page. Also, Brian has a typo in the Flash version he says is the latest.

      1. BrianKrebs Post author

        Yeah, I think Adobe changed their advisory on the Chrome part to reflect which version of Chrome you have, rather than which version of Flash, since the latter may change depending on what OS you’re using. I’ve modified that paragraph to reflect this.

      1. ChocolateMalt

        Reader looks recent but most of the other folders there, including Flash, appear abandoned.

    1. SFdude

      Thanks Jason!

      The link in your post, ^^^
      is the one I always update Flash from.

    2. Old School

      Start with a shortcut/bookmark to the About page: https://www.adobe.com/software/flash/about/ to check for the most current version then use Jason’s link for the update and you have sweet little system for checking and updating Flash while avoiding “McAfee‘s obnoxious Security Scan Plus.”

    3. 67GTV

      Thanks for the link Jason. However, this link should not be shared as per below.

      “You may not share the above link, share information with others, or publish the above link on websites, blogs, or by any other means that can be publicly accessed. The information contained on this site is meant for your use only in accordance with Adobe Flash Player Distribution License Agreement you accepted. You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights.”

      I go through this process every time I want to download a crap-free installer for our PCs.

      Also of note, it appears Adobe no longer separates 32-bit and 64-bit installers.

      “Note: Beginning with 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.”

      1. Quinn

        That’s because this is the site for sys admins and distributors, who do require a lic.

        Adobe understandably wants to load the public up with latest and greatest overloaded and bloated version with bells and whistles galore (and 5X the disk space and resource requirements. ;^)

        If they knew that a few net-wise security geeks were just trying to get a stripped down model, I don’t think they’d feel too threatened.

        But just in case, let’s keep it to ourselves…sh-h-h-h…and if you tell some one, tell them not to tell…. (^} {^)

        1. Quinn

          Oops! My bad. I misread the download sizes.

          The downloads from Jason’s and dave’s sites appear the be pretty much the same size as the regular Flash and Reader download sites (as long as the check box to add extra software is unchecked.) ;^)

          1. SeymourB

            Keep in mind you’re not comparing apples to apples. The versions distributed to consumers aren’t distributed as an MSI, which are inherently larger files. MSIs can perform administrative & repair installations and are structured so that you can create transforms (MSTs) from the MSI to customize the installation, none of which are possible with Adobe’s consumer installer.

      2. SeymourB

        While technically true, the fact of the matter is that Googling for “adobe flash player msi” returns that link as the first hit and has done so for the past couple years or so. If Adobe hasn’t bothered to stick the page in their robots.txt file that that long, they’ve got to be on shaky legal ground.

        1. 67GTV

          Sure enough Seymour, when I Googled “adobe flash player msi download” with quotes, I found one Adobe staff member referring a requestor to the same link Jason posted. The first result points to Jason’s link when Googling “adobe flash player msi” without quotes. A brief glance at Googling “adobe flash player msi” with quotes did not reveal the link. I did however, see your post above. 🙂

          Btw, the distribution link is handy as Adobe’s distribution application form is non-functional. (I tested it, not believing my co-worker.)

  2. Dan

    Updated Windows. KB2647753 continues to present as Recommended, even though installed. Have hidden update, but was wondering if anyone else is experiencing this.

    1. PJ

      Same here, tried installing KB2647753 on a windows x64 system. It keeps saying completed, but keeps coming up again on check for updates.

      Updated a pair of x32 laptops with no problems.

    2. Dirgster

      Brian is the greatest for keeping all of us in line. Thanks, Brian!

      I’m having the same problem with update KB2647753. It won’t install although it shows by now five times under “View update history” as installed successfully. Under “Check for Updates”, KB2647753 is still listed as a necessary update. I have rebooted several times since then, and as I was just checking for possible updates one more time, “Windows is up to date” was the prompt. Finally!
      P.S. I just found the following (answer #2). Perhaps it will help someone else to fix the annoying KB2647753 problem:

      http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/why-wont-kb-2647753-install/aa599ea3-0bd9-4118-8e26-20d6ac4596ee

      1. Jack Stewart

        The uninstall of KB2647753 and reboot and manual install of KB2647753 stand alone file worked for me!

        Win7 64

  3. npb

    Hey Brian (or community)

    What advice (other than get a new cpu) would you give to people who still use PPC Macs and are unable to update Flash?

    Thanks.

    1. Neej

      Remove Flash completely (some websites do require it for essential functionality)

      Or disable the browser plugin.

      Or block it from running in the browser on a per site basis – ie. only allow it to run on sites where it is required using something like Firefox’s NoScript addon.

    2. Neej

      Forgot: Or use a Flash blocker like Firefox’s Flashblock. NoScript and similar addons block all scripting unless you allow it on a per site basis which adds a layer of tasks to do for each site you visit for the first time which some may find annoying even though it adds a layer of security – Flash blockers only block Flash.

      I realise you may not use Firefox – you’ll need to Google how to do these things or search the addons site of whatever browser you use.

      1. npb

        Thanks for the reply. I forgot about NoScript. My browser of choice for the PPC is Aurora, which is built off Firefox. I use Flashblock, but didn’t know how effective it is against malicious websites that look for outdated versions of Flash.

        Off to download NoScript.

        Thanks again for the reply, Neej.

        1. SeymourB

          There are ways to bypass Flashblock, or at least there were in the past, whereas it’s damn near impossible to bypass Noscript.

  4. timeless

    Brian: I don’t suppose you can ask Adobe to stop requiring an OS Restart for Reader? There’s really no valid justification for that in a third party non OS driver application.

    It’s also pretty annoying that it considers failure to dump junk into HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run as a fatal condition worthy of failing its install.

  5. Francois

    Is it just me or is the Flash update only for version 11? We haven’t upgraded to 11 yet and are still on 10 (currently 10.3.183.20). Does this mean that this vulnerability being patched is not present in 10?

  6. Kevin

    Windows update appears to be corrupt on one win 7 computer. No update possible. Is there a fix? The Microsoft trouble shooter had no effect. 2 other computers on the same network had no trouble. Norton didn’t find any issues.

  7. DL

    A questopn for the community,

    Does Adobe Flash update automatically? I find that I have the latest version (v. 11.3.300.271) installed on both my work PC and personal laptop. I have NOT intentionally updated either.

    thanks,
    DL

    1. Daniel Wolf

      Yes, Flash now includes the feature to automatically update. I may have asked you in the past and you opted-in to it.

      However, this is not universal.

      1. 67GTV

        Recently, manual updates to Flash Player prompt for the ‘Check for Updates’ options each time an update is applied. The default setting is to “Allow Adobe to install updates”.

        Just like Java, Flash Player no longer remembers previously set preferences. I believe updates to Adobe Reader still retain your Preferences.

    2. Dirgster

      My machines are both set to automatic updates for Adobe Flash Player, and the setting does a good job. The following might help you check your settings.
      “User configuration of auto-update notification”:
      Users can set the frequency of the checks or disable auto-update notification by using the Flash Player Settings Manager:

      http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html

      These user-configured auto-update settings are stored in a local shared object on the users machine. To learn how individual users can disable auto-update, see “How to disable auto-update notification in Flash Player”:
      http://kb2.adobe.com/cps/713/a7138026.html

  8. Andrew Z

    Adobe Flash Player, Java 7 and Win7x64Pro updated without issue. Glad to see that there’s finally a batch of fixes for the Win7 & 2008R2 print spooler … you may have to make an exception in your HIPS for it to install correctly

  9. PB

    Has anyone else found Adobe’s new-ish automatic update functionality for Flash to be totally non-functional (on Windows XP, for me)?

    I find I still have to monitor online news and apply patches manually. And, if anything, the manual patch process seems to be getting buggier.

    Looking forward to the day I can eliminate Adobe altogether from my systems.

    1. Doug

      FWIW, At least one of six Win XP Pro machines I manage has this issue. (Detail: the machine in question is set to notify but not automatically install. I don’t receive timely notifications. If it does notify me it seems to be after a reboot – but since I rarely restart I usually become aware of the update via the other machines or by this WONDERFUL WEBSITE (Thanks, Brain!!) )

      On another note – I updated Java from 7.05 to 7.06 and was surprised because I did not have to disable Java in the browser (Firefox), it remembered the setting!! First time. Ever.

    2. Old School

      This problem has been the subject of earlier articles:
      http://krebsonsecurity.com/2012/06/critical-security-fixes-for-adobe-flash-player/
      http://krebsonsecurity.com/2012/03/critical-security-update-for-adobe-flash-player-2/
      Using the second article, I went to Control Panel then System and Security. Flash Player (32 bit) is set to “Allow Adobe to install updates (recommended). ”
      Using http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html, Global Notification Settings says Notify me when an update to Adobe Flash Player is available. Then there is a line that says “Check for updates every’ followed by a drop down box. The shortest period is seven days!!! Then Adobe says “Use the Global Notifications Settings panel to set notifications of updates in Flash Player:

      If you want Adobe to automatically notify you when a new version of Flash Player is available, select Notify Me When An Update Is Available. From the pop-up menu, select how frequently you want Flash Player to check for updates. The default selection is 7 days.
      If you don’t want Adobe to automatically notify you when a new version of Flash Player is available, deselect Notify Me When An Update Is Available.”

      The Auto Update does not seem to work or work fast enough so I just manually check the current version every morning while I am spilling coffee in my lap. Call me Old School.

  10. Stratocaster

    One might reasonably think that the Flash Player version for Chrome, 11.3.31.x, should be newer than the 11.3.300.x versions for other browsers. Not so?

    My Chrome Flash Player is currently 11.3.31.227 after the last Chrome update.

  11. Alister Wm Macintyre

    According to Secunia PSI, the Adobe Flash Active X 11.x update failed.
    I ran PSI, after I saw Brian heads up, before any Adobe update (Microsoft updated 2 am), and it said I needed this and also NPAPI. I am now up-to-date on NPAPI, Shockwave & Reader, according to PSI.
    I did a sys config backup before each update patch ingredient. I am on Win XP.
    I will do a reboot, and start over.

  12. Debbie Kearns

    One problem, though: When I got to the Java.com website and clicked on “Do I Have Java?” and the “Verify Java Version” button, it STILL says I have Version 7 Update 5 without asking me for an upgrade! Do I have to wait for a few more days? 🙁

    1. Andrew Z

      I was able to update from Java 7 Update 5 to Update 6 manually by opening the Java Control Panel under the Update tab.

  13. Mattias S

    Hmmm… After applying the latest MS patches my Secunia PSI 2.o is no longer able to scan and lost its database. Upgraded to PSI 3.0 but still not possible to scan. Anyone else seen this on Win 7/SP1 64-but

    1. Doug

      Check the Secunia forum: http://secunia.com/community/forum/psi/
      you are not alone. 🙂
      Others have the same issue and there may be a fix. Also 2 days ago I had this problem with 2 of 6 WinXP Pro machines, Secunai 2.0 – it was their server where the problem was, see earlier forum entries.

      1. Doug

        Secunia not Secunai – I have to learn to read my post before I hit submit!!

  14. Rimutis

    Applied all updates on WinXp SP3 – no problems. As for Secunia – also works well, version 3.

  15. Old School

    Some day, when you have a slow news day or when you are not having power problems, could you please address the functionality of the Adobe Flash Player Settings Manager and the auto-update problem. I realize that you have touched on this problem before, ad nauseam. Quoting your own hand (http://krebsonsecurity.com/2012/06/critical-security-fixes-for-adobe-flash-player/) “Windows users who have Flash 11.2 or higher installed also have Adobe’s new updater, which is designed to auto-install updates shortly after they’re made available. ” I have never had any success with either of their two systems. Here is their documentation:
    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html .
    ” Beginning with Flash Player 10.3, the Local Settings Manager supersedes this Online Settings Manager for managing global settings on Windows, Mac, and Linux computers. The Local Settings Manager can be accessed in the Control Panel on Windows and in System Preferences on Mac. Users of other operating systems and earlier versions of Flash Player can continue to use the Online Settings Manager described here.

    To access the local Flash Player Settings Manager that is native to your operating system:

    Windows: click Start > Settings > Control Panel > Flash Player
    Macintosh: System Preferences (under Other) click Flash Player
    Linux Gnome: System > Preferences > Adobe Flash Player
    Linux KDE: System Settings > Adobe Flash Player”

    For Windows 7, the documentation is wrong. The Settings Manager is in the Systems and Security section and not a separate entry on the Control Panel. Does the auto update function work for other users? How long does the user have to wait before the auto-update software detects an update? I would not push this issue if it were not for the security issues. THANKS.

    1. Doug

      First, my thanks to you, Old School. Your posts are informative. You mentioned earlier in this thread that the lowest interval to check for flash player updates is seven days. Don’t know why it didn’t occur to me before but you turned on the light – this is why I usually find out about an update from another machine or maybe this website before I receive any notice from Adobe.

      You asked “Does the auto update function work for other users? How long does the user have to wait before the auto-update software detects an update?”.

      I reviewed the FlashInstall.log found at C:\WINDOWS\system32\Macromed\Flash on six machines, all are running WinXP Pro, four are Dells, two are IBM. Five are set to auto update. Three are on the West coast in Pacific time zone, three are in Hawaii time zone. The West Coast machines are always on, the HI machines are put into standby when not in use. The log uses GMT, here are the update times:
      I530 2012-08-15+01-44-54.734
      Dell1 2012-08-15+01-59-12.312
      Vostro 2012-08-15+05-50-41.625
      IBM2 2012-08-15+07-47-12.531
      IBM1 2012-08-15+09-21-11.187
      I5302 2012-08-15+15-45-24.921
      The first two updates occur within 15 minutes of each other, first update was in Hawaii, second on the West coast. About 4 hours later Vostro (in HI) updated. About two hours more and IBM2 (West C) updated. Another hour and half to update IBM1 (West C). Finally I5302 was updated manually – it is set to notify, no notice received. All in all, the auto updates machines updated within eight hours of each other.

      Hope this helps answer your question.

    2. PJ

      Automatic updater has failed every time so far for me on a pair of laptops, win7 x32 and x64. It sure checks often enough though.

  16. sheen

    what is the different of Shockware & Adobe Flayer Player? TIA

Comments are closed.