February 11, 2014

Adobe and Microsoft today each issued patches to fix critical security flaws in their software. Microsoft’s February Patch Tuesday includes seven patch bundles addressing at least 31 vulnerabilities in Windows and related software. Adobe pushed out an update that fixes two critical bugs in its Shockwave Player.

crackedwinMore than half of the updates issued by Microsoft today earned a “critical” rating — Microsoft’s most dire. That rating is assigned to vulnerabilities that can be exploited by malware or malcontents to take complete, remote control over vulnerable systems — with no help from users.

Microsoft is urging Windows users to apply all of the available fixes, but for those who need to prioritize patches (organizations that typically test patches before deploying them enterprise-wide), Redmond places a special focus on MS14-007, a graphics vulnerability in Windows 7/8/8.1 and Windows Server 2007, 2012 and Windows RT.

The cumulative, critical security update for all versions of Internet Explorer (MS14-010) fixes two dozen vulnerabilities, including one that Microsoft says has already been publicly disclosed. The other patch that Microsoft specifically called out — MS14-011 — addresses a vulnerability in VBScript that could cause problems for IE users.

Microsoft also once again is encouraging Windows users who haven’t already done so to consider installing and using its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help to significantly beef up the security of third-party applications that run on top of Windows. I would second their recommendation, and have reviewed EMET 4.0 here. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform.

Speaking of .NET, this month’s updates includes a comprehensive patch for the .NET Framework; experience has taught me to install these separately from other Windows patches, then reboot and install any .NET updates. I’ve run into trouble in the past trying to install .NET updates alongside lots of other simultaneously, but your mileage my vary.

For more on today’s Microsoft patches, check out the Microsoft Security Response Center blog, as well as Qualys’s take on the updates.

Separately, Adobe has issued a critical patch for its Shockwave player software, which fixes two flaws and brings Shockwave to v.  on Mac and Windows systems. The latest version is available here.

If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

31 thoughts on “Security Updates for Shockwave, Windows

  1. PC Cobbler

    If you have EMET and IE11 installed, you might have trouble with these latest Windows updates. On one system EMET 4.1 refuses to allow IE11 to start, complaining about caller mitigation; other systems have occasional problems. I have had a few problems with the combination of EMET and IE11. Also, lots of webpages have not been ported to IE11. I will no longer install IE11 on W-7 systems.

    1. PC Cobbler

      I looked a little closer at my EMET settings and realized that I had tweaked them a little. I returned them to Recommended Security Settings and everything works okay now.

      But what is so bill-gates is that I was looking at three systems: two are identical twins and the third has trivial hardware differences (slightly less powerful Sandy Bridge CPU and the microATX version of the Intel DH67 motherboard). All three have W-7 and had the same EMET settings. Yet one system failed with IE11, one was temperamental, and the third was one with the universe.

      Moral of the story: set EMET to Recommended Security Settings.

      1. Jeff

        I had EMET 4.0 running just fine on a W7 system. After installing 4.1 , Outlook, IE11, Word all fail to start, and that was using the Recommended Settings. Will have to dig a bit deeper and see which functions are causing the grief.

        1. Tim

          @ PC Cobbler
          Yeah, no problems here after installing the updates on Win 8.1 with EMET 4.1 (using recommended settings).

          @ Jeff
          I usually have the same problem when installing EMET. Going from memory, when installing EMET it gives you a wizard where you can choose to use ‘Recommended Settings’. But, even selecting this setting I find that I get a lot of APPCRASH errors in Windows Action Centre caused by EMET. What I do to cure it is select either ‘Maximum Security’ (or ‘Custom Security’ I can’t remember now) settings in the EMET ‘Quick Profile Name’ drop down box, then change it back to ‘Recommended Settings’ afterwards, which stops the APPCRASH errors for some bizarre reason. Both 4 & 4.1 does this (I think 3 was OK).

          1. Tim

            ETA: I meant ‘Reliability History’, which is in the Maintenance section of ‘Windows Action Centre’.

        2. Kelly

          Check into the .NET install. After I installed an update to .NET with EMET 4.0 Outlook would not start. I uninstalled, did not have time to mess with.

      2. E.M.H.

        That’s strange. I first started using EMET on Win7 systems myself, and even with customizations I never saw those problems.

        Don’t get me wrong; I’m not doubting your experience. Rather, I’m wondering what customizations could’ve had that effect so I could avoid implementing myself and recommending them to others.

        1. PC Cobbler

          Yeah, I could understand if these systems had lots of installed shinola on them, but they do not.

          Systems 1 and 2 are hardware twins with W-7 64-bit HP and Office 2010. System 3 is close to a hardware twin of the first two with W-7 Pro 64-bit and Office 2003. All three have F-Secure; none have games. These are all my personal systems, so nothing extra is ever installed by rug rats or teenagers.

          System 3 is a spare PC and used only as a lab machine, e.g. mounting disks for wiping and running Malwarebytes. I never surf the Internet with it; I only look at work sites like intel.com and microsoft.com.

          I remain convinced that IE11 plays a major role here. I unselected the checkbox on IE11’s help dialog to prevent IE12 from being installed.

    2. Rick

      “Won’t allow IE 11 to start….”

      Now if only they could do that for IE 10->IE 6!

  2. PC Cobbler

    And another thing. On every W-7 system the following happened: I installed all recommended updates, rebooted, and then another important update appeared. Rinse and repeat.

    1. Old School

      Years ago I had an epiphany: computer operating systems are complicated. They are so mind-boggling that sometimes a piece of code has to be installed and functioning before a subsequent chunk of code can be installed. Therefore, after every operating system software upgrade and subsequent reboot, I run Live Update a second time. Sometimes additional updates are found and sometimes not.

      1. Vee

        “I run Live Update a second time. Sometimes additional updates are found and sometimes not.”

        Yep, and the same with anything that has an updater. Same thing with Linux updates especially.

    1. Chuck Rogers

      That would be February 2014. The day (11) can be found above that notation.

  3. JimV

    The Shockwave update brings the installed version to v12.0.9.149.

  4. Old School

    A lagniappe: As usual, the software upgrade left a few files in the Temp folder within the Windows folder. The “Free up disk space” function within Administrative Tools does not clean the Temp folder.

    1. JimV

      Use CCleaner and toggle the array of options to select or de-select specific areas to be cleaned — it will do a much better job than the built-in MS function.

    2. Rick

      Why run a special program to clean up the temp folder? Quit all open programs, start->run>%temp%->control-A->delete. Boom, done.

  5. Olla

    The subscribe to RSS link doesn’t work on this page (or any other).

    1. BrianKrebs Post author

      Olla, I’m going to guess that you’re browsing this page with Adblock enabled. If that’s the case, I assure you that if you ad an exception for my site, those links will work.

      1. Olla

        No, I don’t use Adblock, but in Chrome I opted for blocking 3rd party cookies. Guess that’s the same thing – not sure why you deserve an exception.

        1. Dennis

          I use Firefox and block 3rd party cookies; no problem with Krebsonsecurity.

          On the other hand I refuse to use Chrome because of many problems encountered using it in my workplace. I uninstall Chrome from all new machines there.

  6. nonameform

    I’ve rebooted twice, but still Windows Update fails to install .NET patches on Windows 7 64-bit. Been long time since that happened to me.

  7. jay

    For the avg user is there anyway to tell if your computer has be compromised by RCE? If it has been how do you go about regaining control of the compromised computer?

  8. Stratocaster

    You detailed it in a previous post, but since these updates are usually released on Black Tuesday, it would bear mentioning again that Adobe released an out-of-band security update for Flash Player a few days ago. Flash Player, unlike Shockwave Player, is on the vast majority of machines (except iOS…).

  9. Matt

    Wait, is the consensus that EMET 4.1 on Windows 7 64 bit works or doesn’t work? We run Office on all our machines, and don’t even want that headache. Is there any info on what exactly 4.1 offers / fixes vs 4.0?

    1. PC Cobbler

      The consensus is that EMET works most of the time and is effective when it works.

      I am still not a fan of IE11, but now I am leaning towards blaming NET. I just installed W-7 (clean) and noticed that NET 4.5.1 takes the place of 4.0 on Windows Updates; there were no separate client / full updates as before, only 4.5.1.

      If you already have EMET 4.0 installed, you might consider leaving it as is. If you have no version of EMET installed, install 4.1.

      One final thought: I have found that any problem with EMET can be solved by uninstalling and reinstalling (PITA, though).

  10. TheOreganoRouter.onion

    Windows exploitation in 2013 (ESET blog)

  11. Andy

    I’m getting a lot of problems with EMET 4.1 and Firefox / Chrome – caller mitigation events occurring non-stop. Had to stop EMET from registering those events for now.

    It SEEMS as if it might be related to a recent Nvidia or Intel GPU driver update, as everything has been working just fine for the last X months.

Comments are closed.