September 9, 2014

Adobe today released updates to fix at least a dozen critical security problems in its Flash Player and AIR software. Separately, Microsoft pushed four update bundles to address at least 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. If you use any of these, it’s time to update!

winiconMost of the flaws Microsoft fixed today (37 of them) are addressed in an Internet Explorer update — the only patch this month to earn Microsoft’s most-dire “critical” label. A critical update wins that rating if the vulnerabilities fixed in the update could be exploited with little to no action on the part of users, save for perhaps visiting a hacked or malicious Web site with IE.

I’ve experienced troubles installing Patch Tuesday packages along with .NET updates, so I make every effort to update .NET separately. To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes). Your mileage may vary.

For more information on the rest of the updates released today, see this post at the Microsoft Security Response Center Blog.

brokenflash-aAdobe’s critical update for Flash Player fixes at least 12 security holes in the program. Adobe is urging Windows and Macintosh users to update to Adobe Flash Player v. 15.0.0.152 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. If you’d rather not be bothered with downloaders and software “extras” like antivirus scanners, you’re probably best off getting the appropriate update for your operating system from this link.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15 for Windows, Mac, and Android.

Adobe had also been scheduled to release updates today for Adobe Reader and Acrobat, but the company said it was pushing that release date back to the week of Sept. 15 to address some issues that popped up during testing of the patches.

As always, if you experience any issues updating these products, please leave a note about your troubles in the comments below.


72 thoughts on “Critical Fixes for Adobe, Microsoft Software

  1. Rick

    “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).”

    …because it would be WAY too consumer-friendly, administrator-friendly, and security-friendly to have a consolidated installer….

    1. JCitizen

      I’m not a Windows 7 user yet, but last time I worked on Win7, there was no need of flash at all. I tested four browsers on it, and flash was not needed in any of them, and neither was Java. Thankfully all my apps and gateway GUI do not need Java installed on the machine any longer either. Two of my biggest irritants just left the stage! YES!

      1. Phoenix

        Thanks for the tip JC. I deleted Flash Player and I found IE11 and Firefox play videos just as well.

        1. JCitizen

          Yeah – I need to get off my behind and upgrade – I’ve been stalling for months! Glad you did it, and your’re welcome! 🙂

          1. Jean W

            Ditto here for liberation from Adobe maintenance chores.
            I uninstalled the remaining Flash dll just last month, after Adobe’s update added a DRM directory uninvited.

            I run either of the Mozilla browsers, SeaMonkey or Firefox, with the NoScript extension, in a Win 7 SP1 home setup, and admin a basic home network.
            As soon as youtube began delivering html video for general stuff, I was free to disable Flash dlls from browser plugins. Before the arrival of multiple formats on youtube, Flash was the only way to pick up the many bits and pieces that most mainstream media sites now throw on to youtube. But now, for those very few sites where a proprietary flash player is used… I’ve found I can do without anything served that way, and have encouraged others on the LAN to do the same.

            Aside from relieving me also from the duty of cleaning up any Adobe storage thrown around my hard drive by way of cached data and cookie-style tracking files, I’m also pleased to say goodbye to Flash because with the recent reporting around security and privacy hubs of hackers marketing all kinds of interception devices to government now, who’d want to have a streaming application that is so apparently easy to subvert for man in the middle activities?!

    2. Jackson

      I used to have to install Flash twice, but things have changed. With my Windows 8.1, Flash is built into the IE browser and automatically updates itself same day. In fact, the IE Flash is no longer even listed under installed programs. Only my Firefox plug-in is listed under installed programs, and it, too, updates itself same day.

  2. S N

    >>
    …because it would be WAY too consumer-friendly, administrator-friendly, and security-friendly to have a consolidated installer….
    >>

    On the other hand, some of us (while keeping up with Microsoft’s IE patches) don’t actually *use* that browser. We install the Adobe update for Firefox, Opera, PaleMoon, etc. Why, voluntarily, add an unnecessary attack vector?

    1. Rick

      That puts you in the definite minority, and that’s for home use, too, no doubt. Off the top of my head while that’s a theoretical attack vector, I can’t think of any threats that can exploit the Flash ActiveX except through IE itself (unlike the NPAPI plugin which can be leveraged by Acrobate.

      1. Zackis

        Search active x attack vector in google not only is it a well used vector but by running IE you in the OS at a deeper point ( the IE hooks are fairly legendary in terms of scope)

        Active x is horribly broken and only recently has it been patched in any meanigful way.

        TheNPAPI also has issues.

        SN is not as small a minority as you may think .

        1. Rick

          “I can’t think of any threats that can exploit the Flash ActiveX except through IE itself”

          That means “running IE.”

          1. SeymourB

            So you’re saying that all applications which use IE to display HTML and similar content don’t gain IE’s vulnerabilities?

            IE is used on Windows the way Safari is used on OSX. The framework underpinning both apps are available for applications to use at any time, and many do. As a result, vulnerabilities in IE (or Safari) translate into vulnerabilities in a wide array of applications.

      2. mechBgon

        Rick, it could be used by other software too. This is why EMET 5.0 enables Attack Surface Reduction on a couple of Office apps and restricts Flash in particular. More info yonder:

        http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx

        “By default, EMET 5.0 is configured to block some modules and plug-ins from being loaded by Internet Explorer while navigating to websites belonging to the Internet Zone, and to also block the Adobe Flash plug-in from being loaded by Microsoft Word, Excel, and PowerPoint.”

        Since we’ve touched off the “ActiveX is broken” tirade elsewhere, may I recommend simply enabling ActiveX Filtering, fundamentally what other browsers might call click-to-play. It switches Flash Player and other controls to a disabled-by-default state. We use this at work, and my very average co-workers have acclimated well to it. Give it a try.

        1. SeymourB

          I tried that at work. I explained why it was useful, why it was good security, and how simple it was to use.

          Within 6 months everyone figured out how to disable click to play and had done so because it was “frustrating.”

          You can lead a horse to water, but you can’t make them drink…

          1. mechBgon

            You need to either cast Dominate at level six or higher, or use Group Policy 😉

            In IE’s case, you can simply use Group Policy. Go to Computer Configuration > Internet Explorer, and theres a setting or “Turn On ActiveX Filtering.” Enable that setting, and you can save your manna for the tougher spells like “I Told You Not To Click On That” or “Enhanced Password Remembering Abilities.”

  3. TheOreganoRouter.onion.it

    Wow ! 37 vulnerabilities for Internet Explorer, how many for this year alone. Makes you wonder why more internet users have not moved to a third party browser by now.

    1. mechBgon

      IE is exceptionally manageable, for one thing. I won’t get bogged down in the details here. Modern versions of IE also have a pretty good package of mitigations, while at least one of its main competitors hasn’t even gotten around to using Low integrity levels yet, let alone anything that would compete with IE11’s EPM with per-tab AppContainer sandboxing. Great job competing with, uh, IE6…

      Back on-topic: this month’s batch of updates went smoothly for my fleet (Win8.1 Pro x64, some Office 2010, one Windows Home Server 2011). I applied them all in one fell swoop. One update failed on WHS2011 on the first go-around, the optional roll-up patch. I got it on the next run.

      1. JCitizen

        Good one mechBgon – for those of use still stuck on IE-9 because of Vista 64 bit. It has been touch and go until recently – now IE is one of the best browsers again since the last patches. It was inop for several month not long ago! My obsolete version of EMET may have been part of the problem.

    2. bob

      As you have no idea how many bugs are found for all browsers, how much effort goes into finding bugs for all browsers or how many bugs are found but not made public for all browsers, deciding which browser to use based on published bug fixes is pretty stupid. This applies to all software.

  4. TheOreganoRouter.onion.it

    Internet Users need to stop using Internet Explorer

    1. Likes2LOL

      Does anybody else besides me find it incredibly ironic that the *least* secure browser with which to surf the web is the one crafted by the very makers of the OS? (The only reason I ever use IE is to run Windows Update.)

      I don’t know why, but rather than invoke your default browser the WeatherBug app is hard-coded to invoke IE if you click on any of it’s ads; if I ever get infected, it’ll probably be thanks to WeatherBug!

      1. Moike

        > (The only reason I ever use IE is to run Windows Update.)

        Are you still running Server 2003? That’s the only supported Windows OS that still uses IE as a vector into Windows Update.

          1. Sasparilla

            In Windows 7 if you click Tools on I.E. 9 (my firm’s standard) windows update is still listed and launches from there.

            So, while you can access from other places within Windows, its still available and easy to get to from I.E. on Windows 7. Wonder if it is on 8 there too?

  5. thefatman

    A good reason to update IE is that some programs bring up IE as a default when you attempt to update their programs.

    1. James Edward Lewis II

      Not only that, but some programs embed the WebBrowser control (an IE component) internally to display Web content, like WinRAR’s big nag window, and (I suspect, based on the “missing image” placeholders when the Internet connection is poor) FileHippo Update Checker’s “Customize Results” window.
      For this reason, I take the security of IE very seriously, even though I rarely launch the browser (I prefer Chrome).

      However, it’s not as bad as it once was: I remember in the old days that SoulSeek would embed the WebBrowser control, but I don’t think the newest version does; also, Steam and iTunes use their own browser components, based respectively on Blink and WebKit.

  6. Harry Johnston

    If you deploy Flash Player in an enterprise, note that the links to the full installer from the deployment page are currently wrong: they point to the old, vulnerable version rather than the new version.

    You can get the new version by copy-and-pasting the download URL and manually replacing “14” with “15”.

    1. Old School

      “If you’d rather not be bothered with downloaders and software “extras” like antivirus scanners, you’re probably best off getting the appropriate update for your operating system from this link.” The link is http://www.adobe.com/products/flashplayer/distribution3.html . At 08:00 on 9/9/2014 I went to that page which was titled Flash Player 15.0.0.152 (Win and Mac) . The download module had not been updated to release 15. As of this writing the module has been updated to release 15.
      On 9/9/2014 I was able to get release 15 by going to Adobe.Com, searching on “Flash” and using the download page that includes the junkware. Adobe needs to improve the roll-out process to include all download pages.

      1. meh

        They get paid to bundle the junk. They have a financial interest in making as many people as possible install unwanted garbage along with their own garbage.

      2. Harry Johnston

        Yes, I can confirm that they’ve resolved the problem with the download links on the distribution page. I’d be happier about how quickly they fixed it if this was the first time something like this has happened … they want you to jump through hoops to get the full downloads, because reasons, then can’t even be bothered to make sure the “ultra top secret pinky swear magic decoder ring download page” actually works!

  7. Chris Thomas

    The problem with separately installing the .NET updates is that this breaks the automatic update model. Consumer users of Windows depend on automatic updates. Why has Microsoft not learned to sequence the installation process to mitigate the problem?

  8. Rich

    Ah yes, more .NET security fixes. How many has this been for Windows? 100’s? And Krebs has the nerve to not tell people to uninstall .NET from their windows computer. Hey Brian, I’ll do it for you:

    If you have no need to use .NET then please UNINSTALL it from your computer. Microsoft .NET is a consistent vector for attacks.

    1. driedoutcavediver

      What is the best way to determine IF you can safely remove .NET?

    2. mario

      EMET requires .NET, for example.
      I believe that EMET is a necessary tool and it isn’t a good practice to get rid of it… but I agree with you about the risks to have .net installed.
      Is the compromise worth of this risk?

      1. Chris Thomas

        I believe that you can disable .NET as far as is allowed within the scope of Internet Properties – Security per zone.

      1. Rich

        Thanks Brian for the link. Here are a few edits you should make to the link:

        Bad guys are constantly attacking flaws in widely-installed software products, such as .NET, Java, Adobe PDF Reader, Flash and QuickTime.

        If you don’t need .NET or Java, uninstall it. You can always reinstall it if you find it is needed for some Web site or third-party application. If you can’t bring yourself to completely remove .NET or Java or if you have desktop programs that require it.

    3. Moike

      >If you have no need to use .NET then please UNINSTALL it from your computer. Microsoft .NET is a consistent vector for attacks.

      Of course any software may have problems, but the .NET problems are not close to the severity of Java problems – the .NET software doesn’t have browser plugins which are a conduit to silent, drive-by malware.

      In fact, this month’s patch only addresses problems if you’ve enabled IIS ASP on your computer (no one does that unless they are a developer or web server)

  9. Erik Carlseen

    Sadly, Internet Explorer is still flat-out required for many corporate and B2B extranet websites. It’s not going to die any time soon.

    I’m pretty much convinced that Steve Jobs was onto something when he declared war on Adobe Flash. Critical vulnerabilities each and every month, and sometimes more often than that.

  10. Chris

    Technically this download site is for Distribution and you’re not supposed to share the link.

    “You may not share the above link, share information with others, or publish the above link on websites, blogs, or by any other means that can be publicly accessed. The information contained on this site is meant for your use only in accordance with Adobe Flash Player Distribution License Agreement you accepted. You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights.”

      1. Chris

        Also unless you know to search for “flash player distribution” most search for this

        https://www.google.com/search?q=flash+player+download

        Which doesn’t allow the download site posted to show up. Besides the fact, unless you’re downloading it just for yourself, the page states that you must apply for a license to “distribute”; even within your organization.

        Krebs lives his life playing by the letter of the law. He hates when people deviate from it and don’t play by the rules. Go figure… Whatever.

        1. Harry Johnston

          Depends on where Brian got the link from, doesn’t it? If he never signed a contract saying he wouldn’t hand it out, well, I’m not a lawyer. But if Adobe were serious about this they’d … actually, come to think of it, I’d better not give them any ideas. Getting the installer is annoying enough already!

          1. SeymourB

            Not to mention that, acting as a journalist, Brian has certain legal rights when it comes to publishing information.

            If Brian had agreed to the contract he could be bound by its terms, but assuming he was provided the link by a source (or by simply typing “flash player msi” into a search engine), then he’s free to publish a link. Given that the contract in question regards distributing Adobe’s software within your organization, it would be rather unusual for Brian to have agreed to its terms.

            That being said, I’m quite saddened that Google has, yet again, failed to weed out fake “Flash Player” advertising. Just type Flash Player into Google and look at what the advertised result is… advertising for a third party “Flash Setup” executable. VirusTotal flags that executable as containing some rather suspicious data…

            1. JCitizen

              Not to mention, I am accosted by fake “Flash Player” download tabs every time I try to go to this site. I’m wondering how much Brian knows is going on to possibly discredit him by outer players on this subject. OR maybe inside players? I’m not casting aspersions, just asking questions here! To give credence to Brian’s site, I feel I must allow as many scripts and ads as I can. Perhaps Brian would provide a page of approved scripts so we can protect our selves from these annoying problems?

              I don’t use Google per se, but Comodo Dragon, which uses the same core, but has a striped down rendering engine – but I still have to rely on Script Safe to peruse the site, with AdBlock turned off! It has become a real pain in the last months!

            2. Old School

              “That being said, I’m quite saddened that Google has, yet again, failed to weed out fake “Flash Player” advertising. Just type Flash Player into Google and look at what the advertised result is… advertising for a third party “Flash Setup” executable.” I too was appalled by the ads that Google would display when searching for Adobe Flash. Norton Safe Web would flag them with red boxes. I was about to make a comment containing the names of the sites so I ran Google searchs on “Flash Player download” “Flash Player ” plus “Adobe Flash Player ” and, what to my wonderment, the ads were gone!! When I ran the Google search on “Flash Player download free”, four third party ads were listed. Two ads were “clean” and two were flagged. The flagged sites are joydownload.co and onfreedownload.com

    1. JCitizen

      Just follow Brian’s links, that check which version you have, and match the version numbers. If they don’t match the version number listed in the article – you need the update – that is if you really need flash at all!

      You can also download and run Secunia PSI to see what might be vulnerable in your system, and/or File Hippo Update checker – I’d sooner try the File Hippo utility if you not experienced.

  11. James Amerson

    I especially enjoyed the Ask Toolbar included with these ‘critical’ security patches from Adobe.

  12. Jeff G

    As far as updating Adobe Air, the only way that I’ve found to update this is to open up the only app that I have that uses it (Pandora) and wait to see if that triggers an automated request to update Air.

    Anyone have a more direct way of updating Adobe Air?

    1. BillC

      Go to adobe.com, click on the menu, then click on Adobe Air at the bottom of the page. When you hit Download and open the installer, it will tell you which version you have and what the new one is…

      1. Bugs Bunny

        Aaaaayyyy, what’s-up doc?

        Hey @BillC
        go to “www.ninite.com” and make an installer stub exe file to install the latest version of Adobe AIR. whenever it’s updated run this installer stub to update to the latest version. eZ-pZ d00D. you can also get allot of other essential apps from “www.ninite.com” check it out we use the site all the time down here in the wabbit hole.

        so now U caN haZ Air

  13. Eaglewerks

    Up-date performed without a hitch or hiccup. Intel based machine running Win 7Pro. I did note the mentioned Adobe patches/up-grades were done by me on my machines several weeks ago when Adobe notified me of their availability for both I.E. and Ff. As a side note, for everyday visiting to a select group of sites I visit on a daily basis (ie: Krebs) I use Ff with the FVD Speed Dial overlay (app?). For sites requiring more security I honestly use I.E. 11, fully updated, and properly configured.

    For the occasional heckler, here is a bit of my personal OS use and history: BOS/360 (IBM’s Basic Operating System); DOS/360 (IBM’s Disk Operating System); Northstar DOS/CP/M/NS BASIC; P.C. DOS (I liked it better than Microsoft DOS); Windows 3.1 and newer; FARGO (A modified Linux OS with a GUI for server management); And any other number of LINUX based OS’s.

    Sometimes I miss P.C. DOS, but for the most part I am very pleased with my current Microsoft configurations and use.

  14. Tom

    I have a Windows Automatic update that I’ve been putting off for a few days … think I’ll let it update tonight … thanks for the heads up!

  15. Simon

    Is only Facebook would sort their video playback to recognize the device capabilities, most folk could ditch flash without a second thought.

  16. Geezertryin2keepup

    Is the Sept Patch Tuesday package independent of Aug’s bad patches? After the Aug episode, I followed the advice quoted in Brian’s follow-up column: “Currently the only solution is to uninstall KB2965768, KB2970228, KB2973201, KB2975719, KB2982791 and KB2993651, as that will bring win32k.sys back as the working version.” Will that affect my installing the Sept set? Are the earlier bugs now fixed with the Sept set?

  17. JimV

    The Acrobat Reader XI v11.0.0.9 patch is now available, and can be downloaded from the following URL:

    http://ardownload.adobe.com/pub/adobe/reader/win/11.x/11.0.09/misc/AdbeRdrUpd11009.msp

    The full paid-for Acrobat patches are available from a different webpage — here’s the one for Acrobat X:

    http://ardownload.adobe.com/pub/adobe/acrobat/win/10.x/10.1.12/misc/AcrobatUpd10112.msp

    I think the XI patch can be d’ld by substituting “11.x” for “10.x” and changing the specific version to “11.0.0.9” from “10.1.12”, but don’t have the full XI so can’t confirm for certain.

  18. Chris Thomas

    Thank you for the link to the Adobe reader 11.0.09 update msp file. Windows 7 users can update from the help menu of Adobe Reader XI but doing the same with Windows XP fails. There seems no way to communicate this to the deaf at Adobe so the link is valuable.

    1. Chris Thomas

      The Adobe forum seems to disclose that 11.0.09 no longer supports Windows XP. Adobe never ceases to amaze me. One Adobe brain lobe provides an update to 11.0.09, the other brain lobe disables the help menu access to the update for XP users. Is this indicative of the quality of Adobe management? Ill thought out seems to be an Adobe characteristic.

      The is a dotdot version update. I might expect Windows XP support to end at the release of the future new major version 12 but not at 11.0.09! Anyway, thank you once again Brian for the link to the .msp installation file.

      1. JimV

        The 11.0.09 MSP update installed without any problem on an XP laptop I’ve still got, and seems to function just fine. That might not be the case whenever v12 is issued, but if Adobe stays true to form they’ll support v11 until v13 is issued.

Comments are closed.