If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.
Most of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.
The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).
More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.
Adobe’s Flash Player update brings Flash to version 22.214.171.124 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.
To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 126.96.36.199.
Flash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.
Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 188.8.131.52 for Windows, Mac, and Android.
Thanks for the reminder, Brian! Much appreciated.
Brian Chrome repackages Flash in a module called Pepperflash I would not be surprised if either A) pepper flash was not vulnerable or B) chrome simply has not yet updated pepper flash to incorporate the changes.
Pepper is just an API, like ActiveX, or NSAPI. Google does publish the Pepper version of Flash, primarily because Pepper is an undocumented plugin API so only Google can release Pepper plugins, but that version is based on source code from Adobe.
Sometimes exploits are ActiveX or NSAPI specific, and in those cases you’ll only see a single plugin type revised. In cases where both ActiveX and NSAPI are updated, normally the Pepper version is just as vulnerable.
Google has already stated they’ll be releasing a new version of Flash for Chrome, but instead of releasing a whole new version of Chrome they’ll rely on their component update model (which has a whole host of issues I won’t get into) to update Flash.
If you don’t want to wait for Google to deign to update your particular installation of Flash, you can try disabling the Flash component in Chrome. At that point it’ll revert to using the NSAPI version of Flash, which you will have (hopefully) updated. Once Google gets around to pushing down a component update to your copy of Chrome, you can re-enable the Flash component and start using it again.
It’s a crappy method but their component update model is, well, crappy. Not nearly as crappy as Adobe’s auto-update model but at least we can forcibly update everything without relying on their auto-update model… which isn’t the case with Chrome.
Great suggestion. To anyone wanting to to this (disable Pepper Flash), go to chrome://plugins/to get to these settings. .
I tried to find a way to get Chrome to update its components. At chrome://components/ I can see a component called pepper_flash, but it’s at version 184.108.40.206. Clicking on the “Check for update” button doesn’t seem to do anything.
IMHO, it’s all just a bit broken.
According to Google support website, it says if you go to About Google Chrome on your menu, it will check for updates. It doesn’t actually finish updating until you restart Chrome.
Minor correction, the browser plugin API is NPAPI.
Netscape Plugin Application Programming Interface (NPAPI) is a cross-platform plugin architecture used by many web browsers.
Netscape Server Application Programming Interface, a technology for extending web server software
(May be confused with NPAPI, another Netscape technology)
NSAPI is a server plugin API like CGI-BIN and ISAPI: http://en.wikipedia.org/wiki/Netscape_Server_Application_Programming_Interface
I disabled the Chrome Flash plug-in as I’ve done in the past (usually when encountering Shockwave crashes) but for some reason I can’t get Chrome to play nicely with the current version of Flash I downloaded from the Adobe site. Usually both versions show up on the chrome://plugins/ page, but I’ve noticed lately that only the Chrome Flash plug-in is listed. So when I disable it, the browser perceives that I don’t have Flash installed at all. (Firefox can find the Flash download just fine, so I’m not sure what is going on.) I’m wondering if the Flash default install location has somehow changed. The latest version installed at c:\windows\sysWOW64\macromed\flash
Thanks brian this was much appreciated.
Thanks Brian, Great info !
“Flash Player Update
“We are updating Flash Player to version 220.127.116.11 on Windows and Mac via our component update system (i.e. there will not be a Chrome update).”
As of 7:06 PM PDT, it hasn’t been updated for my installation of Chrome. ಠ_ಠ
Thanks as always, Brian.
” totally snuck up on me today” You didn’t get the Microsoft security email, now back in monthly circulation?
You are slipping there Krebs. LOL
More internet users need to stop using Internet Explorer and move to a third party browser.
Why? It’s a flah bug, so what does the browser matter?
In fact Firefox doesn’t have a sandbox and hence comes at the bottom in every hack contest, and in reverse on top is always IE11 + EMET on top.
Knea yerk ….
People better read this blog better and learn these things, and lose biases ☺
I hope you realize you can run Firefox through EMET.
Sandboxie is free and helps run any browser in a sandbox if that is your desire.
Not just any browser, but also browser plug-ins such as Adobe Flash Player and Java which run as child process of the web browser.
Brian recommends SandboxIE in his “Tools for a Safer PC”.
Referring to http://helpx.adobe.com/flash-player/release-note/fp_14_air_14_release_notes.html#released_versions ; only the SDK and Android version of AIR has been updated. Adobe has not mentioned AIR Desktop standalone at all in the release notes or the APSB, and they are still serving up 18.104.22.168 at http://get.adobe.com/air/
Even the official blog posting from Chris Campbell dated 7/8/2014 still explicitly states (and links to the download for) v22.214.171.124 as applicable to the normal runtime/desktop version, despite stating and linking to v126.96.36.199 for the SDK/compiler download.
The last two updates for Flashplayer downloaded but did not properly install with Firefox using Windows XP as the OS. Is this the experience of others?
I had that problem with XP and flash update 188.8.131.52 and found that when I uninstalled EMET 4.1 I could install the Flash update.
Brian, you write that “Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice…” Not true in many cases.
I have Windows 8.1 with IE 11, and I use a Firefox browser. Flash is actually built into IE in Windows 8.1, so it doesn’t even show up on the list of programs under Control Panel. My IE in Windows 8.1 always updates to the new version of Flash within two hours on the day a new Flash is released. The same thing happens with the Flash plugin for Firefox (which is listed on the programs under Control Panel). I don’t have to do a thing regarding either of these Flash applications, and it doesn’t take “days or weeks,” as you put it.
It’s darn near instantaneous for both browsers, has been ever since I’ve had this system.
You’re right, I should have said “may need to apply…” I’ll fix that.
I’m glad Adobe’s Flash updater works for you. It has never worked for me in anything close to a real-time way. And I know I’m not alone here.
Just had the auto updater work for the first time ever yesterday. Had to click on twice the number of ok prompts, but it worked.
I used to try to get BK to fix this but gave up. Glad you mentioned it again!
Had same issue with XP and Adobe Flash two days ago. But tonight, went in as Administrator, and had no problem with Flash update. Perhaps if you try again it will work?
Brian, I found your interview at npr very important. Most of the things you said I have never heard of at all. I ‘d like to ask you a question, but couldn’t find the right place. My question is: Are chromebooks safer than other computers/laptops? I know a person who uses it for onlinebanking. THanks for responding and thanks for informing us about hackers and safety!
Brian baby, when are you coming home?
Not sure it’s related, but when updating Flash on IE it crashed and now won’t reload, i.e., it keeps crashing and closing…..
Reset IE Settings Under Internet Options Advanced – Now OK(ish) – or as much as IE is OK. Thx
The Hazards of Probing the Dark side
Interview/Transcript with Brian Krebs
Thanks for the link to the NPR story.
Patches are not as fun…:)
On Windows 8 i have lastest version automaticly on Chrome, Opera, IE and Firefox. No needs for manual actions.
Regarding Adobe Air, the version number listed in the article is not the download on the Adobe site, nor on FileHippo. The Adobe site still has version 184.108.40.206, while FileHippo has more recent beta versions. FH does not have the SDK that I’ve seen, but I didn’t dig.
Download AIR from Adobe. Check the properties (Details tab) of the downloaded file. It says it’s version 220.127.116.11. So, their announced update isn’t available yet, it seems.
The new version of Adobe AIR doesn’t seem to be available from the Adobe website. When I download from there I just get the previous version, 18.104.22.168.
OK, according to the table, the update is only available for Android and for the SDK, not for the Windows runtime.
So … is AIR for Windows not affected, or have they just not bothered to ship an update? :-/
I think it’s great you’re publishing these notifications.
However, you’re giving some people a false sense of security in saying IE10/IE11 will auto-update Flash versions. Anyone on older OS versions (i.e. not Windows 8 or 8.1) won’t have Flash updates pushed by Microsoft. For them, they’ll still need to check that they’re up to date and (probably) have to download updates themselves.
It would be good to be clear about this when the next inevitable update comes along.
The information about the auto-update feature being a Windows 8.x feature was in the original post that I filed, and last night I noticed that the version with the graphics removed was running on the site, so I’m not sure what happened there, but I will go ahead and add that information back in.
Brian thanks for the info..more info is better than none at all. Even if all your message does is reminds people to update then they will be better off. Keep up the good work!
pepper_flash – Version: 0.0.0.0
after disabling the .125 here
Thanks brian this was much appreciated.
Interesting. When I checked the Adobe site after receiving the Black Tuesday notice from Microsoft, they had posted the Flash update, but the posted version of AIR was 22.214.171.124. It is STILL the posted version as I write this — no .137 yet.
It is July 10th and my Adobe Flash Player is still not updated in Google Chrome. Whats going on?
Any word from the Java camp? What is their release schedule now anyway? Monthly, quarterly…?
They are on a quarterly schedule now. The next one is due out next week, July 15.
What about the movie you posted few years ago or so?
It was about money mules as far as I remember.
It’s not my movie, I was just in a bit part of it. Ask @koppelman
Thanks for keeping people informed and for the e-mail that reminds us what needs updated! You are awesome!
I finally got the Adobe Flash update from Google Chrome on July 11, 2014. I guess they weren’t in a hurry.
Your cover image is missing Alaska from the nifty illustration of the U.S., it’s only the largest state in the nation.
This reply was intended for the Spam book you posted, idk how it ended up attached to the wrong article.