The second Tuesday of the month is upon us, and that means it’s once again time to get your patches on, people (at least for readers running Windows or Adobe products). Microsoft today pushed out nine patch bundles to plug security holes in Windows and its other products. Separately, Adobe issued updates for its Flash and Shockwave media players that address four distinct security holes in each program.
Microsoft called special attention to a cumulative update for Internet Explorer that fixes two critical vulnerabilities present in virtually every version of IE ever produced, including IE 9, 10 and IE on Windows RT, the operating system for mobile devices and tablets.
The other critical patch in the bunch addresses a dangerous vulnerability in the Windows Remote Desktop Client, which allows systems to be managed remotely. For a rundown of the other updates released today, check out the Qualys blog, the Microsoft Security Bulletin Summary for April 2013 and the Microsoft Security Response Blog.
Adobe’s update brings Adobe Flash Player to v. 11.7.700.169 on Windows and Mac devices (the latest version numbers for other operating systems are listed in the chart below). Internet Explorer 10 and Google Chrome should automatically update to the latest version. Google has already pushed out the Flash update with Chrome v. 26.0.1410.63 for Mac and Linux, and v. 26.0.1410.64 for Windows; if your Chrome version isn’t at the latest (you can check which version by clicking the customize tab to the right of the address bar and then “About Google Chrome’), try closing and restarting the browser.
This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Adobe also issued an update for its Shockwave Player software that fixes at least four vulnerabilities, bringing Shockwave to v. 12.0.2.122 on Windows and Mac systems. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Finally, if you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is 3.7.0.1530 for Windows, Mac, and Android.
If all of this patch craziness has your head spinning, consider using some free tools to help automate the process for you. File Hippo’s Update Checker works great on this front, as does Secunia’s Personal Software Inspector (I prefer PSI 2 over PSI 3, but your mileage may vary). And, as ever, if you experience any problems or interesting issues applying the Windows updates or any of the other patches, please drop a note in the comments section below.
People continue to go “oh bother” another round of patches? Well I smirk and then tell them that for less than a half hour – sometimes hardly any time at all if you “trust” these companies will not issue a botched patch – that the experience will be over.
I was told by a coder that on “average” there is about a 1-2% acceptable error rate in the code. That means if the coders are extremely careful and “somewhat” thorough that 10,000 lines of code will have about 100-200 lines of code that may have vulnerabilities in it.
As for the potential of getting hacked – servers shouldn’t have any free Adobe products, nor Java on it. Remote Desktop that is exposed to the internet in any fashion is looking for trouble.
Secunia is a great site, it definitely helps. Many people may feel a bit skiddish about using it. It shows vulnerabilities, and sometimes links to correct them.
GFI Langard used to have a free version of a scanner and patcher software. last time I used it was version 9.x, and it worked ok for Microsoft objects. The NEAT thing it would do is inventory software on machines and then you could see exactly what type of non-operating stuff is in your home office, small business or home computers.
Patching a massive list of workstations and computers has been a part of my life. I did it religiously to thousands of computers a month. It now comes second nature.
In my opinion, you either patch and accept or get hacked and complain. Pick your poison.
The main download page will only provide the “slim” installer, which once executed will download the full installer file (and who knows what else). That full installer file for Adobe Shockwave can be downloaded directly from the following link:
https://www.adobe.com/shockwave/download/alternates/#sp
Oh — and it’s version 12.0.2.122 — 112 is the previous version being replaced.
Thanks once again, Brian, for always having the best links for helping us to stay up-to-date.
Does anyone know / understand why Adobe maintains a separate Flash Player version 10.3.183.75 as well as version 11.7.700.169?
And, why have separate .exe and .msi installers — is one preferred over the other?
And, why the Version 11 installer files are 4-5 times the size of the Version 10 files?
Flash Player version 10.3.183.75 is for older Mac system software which won’t run Flash version 11.
Every time….e v e r y!… time!….I read Brian Krebs’ website I just shake may head at the hydra-like [pun alert] onion-skinned complexity of these machines we so glibly take for granted at such great risk while we’re a-clickin’ away at this or that, and the potential for serious trouble.
Trouble like – water supply, electrical grid.
This is the new M.A.D. Mutually Assured Destruction between ……for starters….Muslims against just about everyone.
Trouble is, it’s politically incorrect to mention this…….so there!
I feel better.
I… You… What?
Don’t drink and post, guys. You’ll end up sounding like this.
You got to love patch Tuesday
Thank you for always keeping us up to date.
I updated both Flash and Shockwave and restarted my computer. The Adobe site is showing that both are now the latest versions in both Firefox and IE8 (by the way the latest Shockwave version should read 12.0.2.122, not 12.0.0.122).
However, when I check to see if my Firefox addons are up to date, it says that Shockwave (which it lists as Shockwave for Director) is out of date, although it shows the new version number. Have closed and reopened Firefox a couple of times and it still says I have an outdated version. Can’t recall this problem with previous Shockwave updates.
This may be a FF bug, as I’ve discovered the same thing in my installation after the update was verified. It may be that the profile plugins database needs to be re-initialized — the instructions from Mozilla’s troubleshooting support for doing that are here:
http://mzl.la/NYtGci
We’re not alone with this problem — there’s already a discussion thread in the FF community support forum on this at:
http://support.mozilla.org/en-US/questions/956079?esab=a&as=aaq
Another useful tool for staying up-to-date is ninite.com.
Nope. Flash has been pulled from Ninite.
Good post. But is it possible to download and install previous version of PSI? I decided to uninstall 3.0 due to its very big resource demand. 2.0 was much better and there was more control in hands of user.
Yes, 2.0 was better than 3.0. You can get it here:
From: http://secunia.com/products/consumer/PSI/sys_req/
Older versions of the Secunia PSI can be downloaded here.
PSI 2.0 http://secunia.com/PSI2Setup.exe
PSI 1.0 http://secunia.com/PSI1Setup.exe
There is a direct link to 2.0 in the last paragraph. But here it is again
http://secunia.com/PSI2Setup.exe
Thanks 🙂 I didn’t check links in post while reading on tablet.
Thank goodness all the MicroGates updates pertains to IE, a junk browser…
Perhaps a junk browser, but one which is now deeply embedded into Windows functions and the functionality of quite a few apps (like Secunia PSI and some others), so worth keeping up-to-date with security patches even if you don’t launch or use it directly. If you launch one of those apps which relies on its functionality for the front end user interface and you happen to be exposed to some poisonous vector in the background while doing something else online, the outcome might not be pleasant and result in hassles far worse than the monthly patching effort.
When I try to install this update I continue to get a failure notice. Any thoughts on this? It is marked as an unknown error.
Er…Mark you may have to be a little more specific about which update failed.
Jim, you make some very good points, however, I have not used IE since 2003 and never will no matter what anticipation I may miss..
I’m not an IE advocate and use FF as my primary browser, but there are some websites (a few in which I have a high enough interest, and many others in which I don’t) whose functionality is built around ActiveX and which simply won’t work properly without using IE. More pertinent to my earlier comment was the point about critical apps which you might use that require it to function (Secunia’s PSI is one I like, but only v2 and not v3), and the fact that since it’s become embedded in the OS for any flavor of Windows it can’t really be uninstalled. Since it is embedded and can be operating in the background through one of those apps, I think it’s best to patch its security flaws on a regular basis as good practice, even if you never directly launch or use it in the foreground.
Thank you, JimV, for the valuable comment! I am deleting Secunia’s PSI since it is dependent upon IE..
That seems a bit harsh, particularly if you found it to be useful in monitoring and identifying other installed apps that had vulnerabilities or been superseded by a new version. But, it’s certainly your choice — the point of my earlier response was simply to underscore the desirability for users with any flavor of Windows to be vigilant in patching, including those available for IE, since it’s embedded in the OS.
Thank you both 🙂 I didn’t check link in that post while reading it on tablet.
Brian, You may want to update this post about all the people who are having trouble with one of the updates causing machines to not boot anymore. The Microsoft KB is here http://support.microsoft.com/kb/2839011
Thanks. I actually just published as short post about the very problem you mentioned.
http://krebsonsecurity.com/2013/04/microsoft-hold-off-installing-ms13-036/
Hi,
I’m confused. I have a Mac running Snow Leopard. When I look at Firefox plug-ins it reads, Shockwave Flash 11.7.700.169 updated 4/11. And it says nothing about Adobe Flash Player. Has something changed between 4/9 and 4/11? I’m running the latest version if Firefox, 2.0.
When I clicked on the link you provided to see which version I had it said I needed additional plug-ins in order to run it, but when I clicked on the link to download additional plug-ins it said that there were no suitable plug-ins to be found. Is that because I run Snow Leopard and it’s not available for Mac, like Java 7?
Yes this is making my head spin, too bad they don’t offer a program like you suggested for Windows, but also for Mac.
On another note, do I need an update for Adobe Books too? I use it for Nook. Could someone point me in the right direction if I the answer is yes?
I’ve spent too many hours trying sort all this out, and then I found your site. Finally reliable advise! But I still feel like I’m way behind the curve ball.
I still don’t know if I have everything that I need for Safari, Firefox, and Chrome. I do know that I’ve disabled Java in all three.
For what it’s worth, when I told other Mac users that I know about the Trojan that infected 600,000 users, none of them knew about it and most said that they weren’t going to worry about it. I understand that it’s a fairly small number of computers, but still?
I use my Mac for personal reasons. Am I being overly paranoid? I don’t think so but maybe I need a reality check.
I forgot to say, thank you.
Thank you!
Pretty nice post. I just stumbled upon your blog and wanted
to mention that I’ve really enjoyed surfing around your blog posts. In any case I will be subscribing to your rss feed and I’m hoping you write once more very
soon!
Hello, Brian.
Why do you prefer PSI 2 over PSI 3 ?
Hi Joyce,
I linked to my review of PSI 2 in the story, but here it is again
http://krebsonsecurity.com/2012/06/secunias-auto-patching-tool-gets-makeover/