12
May 15

Adobe, Microsoft Push Critical Security Fixes

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat.

brokenwindowsThree of the Microsoft patches earned the company’s most dire “critical” rating, meaning they fix flaws that can be exploited to break into vulnerable systems with little or no interaction on the part of the user. The critical patches plug at least 30 separate flaws. The majority of those are included in a cumulative update for Internet Explorer. Other critical fixes address problems with the Windows OS, .NET, Microsoft Office, and Silverlight, among other components.

According to security vendor Shavlik, the issues address in MS15-044 deserve special priority in patching, in part because it impacts so many different Microsoft programs but also because the vulnerabilities fixed in the patch can be exploited merely by viewing specially crafted content in a Web page or a document. More information on and links to today’s individual updates can be found here.

Adobe’s fix for Flash Player and AIR fix at least 18 security holes in the programs. Updates are available for Windows, OS X and Linux versions of the software. Mac and Windows users, the latest, patched version is v. 17.0.0.188. 

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

brokenflash-a

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you run Adobe Reader, Acrobat or AIR, you’ll need to update those programs as well. Adobe said it is not aware of any active exploits or attacks against any of the vulnerabilities it patched with today’s releases.

Tags: , , ,

34 comments

  1. The download webpage for Acrobat Reader can be found here:

    https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

    The webpage for Acrobat can be found here:

    https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

    FileHippo reports the Air update brings it to v17.0.0.172, rather than v17.0.0.188 as with Flash Player (unless Adobe has made some further mod so these now conform).

    This was a big-download Patch Tuesday (270+ Mb on my Win7x64 desktop) which took a long time, but seems to have gone okay.

  2. Ok I’m not real swift with this. Can anyone explain the difference between Adobe Reader Acrobat DC released 4/6/2015 and the other ones for example Adobe Reader 11.0.11 update – All languages 44.5MB released 5/12/2015? I remember getting an update notice to get DC a short while ago so why are these 11 versions still out there? I thought the DC version replaced them? DC currently has no update for fix any security issue? Should I not have the DC version? Thanks for the help!

    • Hi Paul,

      Adobe mentioned in their security bulletin for Adobe Reader and Adobe Acrobat (https://helpx.adobe.com/security/products/reader/apsb15-10.html) that Acrobat Reader DC is not affected by the security issues mentioned in that bulletin.

      However it’s unclear when the DC version will phase out the older Reader 11 and Reader 10. Adobe usually continues to patch applications for 3 to 5 years after they have been replaced by newer versions.

      Reader 10 was released in late 2010 and thus should be ending support by the end of this year. Reader 11 came out in late 2012 and should be with us for another few years (provided Adobe does not change their mind and phase it out sooner).

      Sorry I don’t have any more information to share. Like you I’m curious as to how and when Reader DC will replace version 11. Thanks.

      • I don’t recall the answer to this off-hand, but last week I was upgrading Reader and Flash version for SCCM at work and found the answer in one of their Enterprise documentation guides. I do remember it mentions two different tracks- continuous and classic- of release cycle for Reader DC. If anyone cares to do some digging, I believe the information regarding the EOL of Reader XI is in here somewhere: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/index.html
        Hope that helps!

    • I also found this thread in the Adobe forum (although it does not give much more details):

      https://forums.adobe.com/thread/1843109

  3. I see that there is unhappiness on the Adobe Flash Player forum about unconscionable and prolonged delays by Adobe in posting the latest versions on the download page:-
    https://www.adobe.com/products/flashplayer/distribution3.html

    This has been an ongoing nuisance for many months.

  4. twinmustangranchdressing

    Mozilla made Firefox 38.0 available on May 12. Strangely, I couldn’t update from within Firefox 37.0.2 by going to About Firefox… I had to download the full installer. (This was on Windows XP 32-bit SP3.)

    • You are running XP SP3 and you are worried about Firefox updates?

      • I have yet to experience intrusions and malware of any kind on my XP SP3 system, the present incarnation of which has been in use since 2006.. That is something that cannot be said for infected Windows Vista and 7 systems which I am often requested to remedy.

        There are many highly effective ways to harden XP as I have discovered since 2001. It is most unsafe to be complacent, just because the latest patches have been applied.

      • If for whatever reason you are forced to use the old XP, as many of my clients were, at least using a current browser can help some toward mitigating drive by attacks. Especially since Firefox has better plugin support for things like No Script and AdBlock Plus.

    • I generally dislike application stub installers from anyone (particularly Adobe and Google), and waited to download the full installer for v38.0 this morning. If you haven’t already installed it, I would strongly recommend waiting until v38.0.1 is released, because I’ve experienced repeated crashing (perhaps a dozen or so times) since.

  5. I’m having Outlook issues since I downloaded yesterday’s patches from Microsoft. I can’t get or send emails in Outlook. Thoughts on how to fix this??

  6. I’m running Windows 7 Professional sp1, 64 bit. I don’t have any problem with Outlook since the updates, but haven’t been able to open a Word document without getting a trouble notice and watching Word shut down. I uninstalled the Word update (KB2965237) and restarted, to no avail. A system restore resolved the problem, but now I’ll have to wait for things to get sorted out before trying again. Unless, of course, anyone has any ideas(?).

  7. if firefox 37.0.2 not update to 38.0, so remove program and apply a fresh install

    • Mozilla confirm there is a bug in v38.0 and have pulled it from download availability until v38.0.1 can be released “in a few days”.

  8. Are the patches in MS15-044 enough? Wouldn’t any Application using gdiplus.dll (a WinSxS file) also need to be patched?

  9. This latest set of patches resulted in the first ever time my computer was caught in the dreaded “can’t configure Windows” loop after installation. My system is a one-year old HP laptop with Windows 7 Pro, and I don’t use any other Microsoft products except for having IE 11 available as an alternate browser (rarely used). I think the problem was probably caused by so many security patches to the obnoxious dot NET Framework versions MS has pushed on programmers over the years. After spending all day yesterday running deep security scans (no viruses found), chkdsk, and system file checker, and hiding the updates to avoid running into the same problem again, I am now about to download the updates one by one to see if any one update is creating the problem or if I now have a registry issue thanks to yesterday’s disaster. Not surprised others are reporting problems.

    • Grayslady. I am having same problem on my Win7 system after updating.

    • Grayslady: How did it work out, I had similar problems but was waiting to see if you had any results or other handy knowledge to report. Install them one by one? Particular ones to avoid? Fixes? What did you learn?

      Thanks very much!!

  10. Wow, Kevin Mitnick was here … 😉

    Advertising on Brian’s site, probably just for me.

  11. AdorabelAtheist

    We are experiencing a limited amount of Configuring Updates ‘Stage 3 of 3’ looping systems. I’ve found that rebooting them multiple times (4-5) corrects the problem eventually. The fix I’ve seen out there involving an F8 and CMD line C:\Windows\winsxs\pending.xml to another location did diddley.

  12. AdorableAtheist

    Adorable….no, really….

  13. I have noticed it on couple of servers as well, but the security patch is pretty simple

  14. I do not understand why, if I heed the automatic notification from Flash to download from their default location (after unchecking the McAfee “kind” offer) it downloaded 17.0.0.188 while from the no bundle location only lists 17.0.0.169 (Plugin and ActiveX versions)

  15. Hi Brian,

    Not sure if this has made the rounds yet–
    http://www.sevenforums.com/windows-updates-activation/369225-windows-7-update-kb3022345-causing-corrupt-files.html

    Windows Update 3022345 in particular seems to corrupt a few files in the winsxs folder as well as the Diagnosis folder in ProgramData. It caused me to lose the ability to use Command Prompt, System Restore, and pretty much any program that needed conhost.exe. May be worth looking into. Uninstalling that update, running SFC, then rebooting fixed all of the above problems for me. The update was installed 05/16, so it was recent.

    • Sorry, I’m not a professional but have been using updates and learning people’s fixes to them. Do not know what “SFC” stands for, can you translate the acromym? Thanks.

      • It represents System File Checker, the built-in Windows (XP onward) scanner for determining what system files might need to be repaired/replaced. If you still have XP, you’ll need the primary installation CD (not the SP3 upgrade CD) in your disk drive, but with Vista onward those replacement files are contained in the OS hard drive folders.

        There are a number of different possible switches you can use, but the easiest way to run it is simply to click “Start|Run”, type in (sans quote marks) “sfc /scannow” and click OK. If you’re doing this with XP, you may need to monitor the process if the disk drive has spun down and hasn’t automatically responded when SFC thinks it needs to find a replacement file, but otherwise just let it run through to completion, remove the CD from the drive and reboot.

  16. Learned in testing that MS15-044 the Critical Font Driver vulnerability also affects Lync and runs Lyncmso2013-kb3039779-fullfile-x86-glb.exe, but that the latter also contains the Skype for Business rebranding of Lync, and it is triggered on systems with Office 2013 SP1.