This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.
ADOBE
Adobe’s Flash patch brings Flash to version 18.0.0.209 on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.
If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.
The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)
Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.
Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.
Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.
MICROSOFT
With today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.
Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.
Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.
More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.
ORACLE
Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.
The latest version, Java 8 Update 51, is available from Java.com. But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.
If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).
The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.
I had 29 Microsoft updates on my Windows 8.1. , and think half of them where for the Windows 10 install coming on July 29th
Apparently you don’t own a dictionary.
I wish the browsers would set flash disabled as the default like they did with java. I’ve had flash disabled for a year (except on one browser that I only play a flash game on) and I haven’t missed it. If anything, it means I see less ads on the screen.
Does this latest Adobe Flash update cover the third zero-day referenced in your previous post.
yes, it covers all of the recent zero-day Flash flaws that we know about so far.
With an emphasis on the ‘know about so far.’ Something tells me more are right around the corner…
I checked Java
and their latest version is Java 8 45..
i don’t see any java 8 51? they took it down or something?
Yeah I had the same issue, the website might still be cached in your browser. Force refresh with shift + F5
Otherwise if that doesn’t work here is the manual download page, https://java.com/en/download/manual.jsp
I didn’t see any update for Linux this morning.
The 11.2.202.481 is from July 08, 2015.
Were they not affected by these zero-days.
Why do you keep making mistakes in your blogs for Flash Player Updates? You keep putting quotes in “About Google”, but never in “About Google Chrome”, because because the quotes you put always end after “Google” instead of “Chrome” It’s supposed to say “‘About Google Chrome'” , NOT “‘About Google’ Chrome”! Please stop messing up the quotation marks, okay?
A thousand pardons, Debbie. I won’t do it again.
And you thought you left editors behind when you left the Washington Post.
Apology accepted, Brian. You’re still cool.
Oh stop with the Flash bashing. It’s excellent software and spurred the digital media revolution.
“It’s excellent software and spurred the digital media revolution.”
Yeah, it’s the Battleship Potemkin of software….
If it was a car it would be called the Flash Lemon.
Like Java it’s a terrible piece of software that has never been secure. I won’t drive in a car where the wheels are likely to fall off every second week, would you?
You use your legacy 1920s no-dial wall phone too? Everyone who knows what they are talking about (as far as I can see) is advising to drop Flash. Yes the Gutenberg typesetter has the great historical honor but no one is silly enough to expose themselves to the cost of using it. I have two providers still not providing the alternative HTML player, and both have lost business from me because of their lackadaisical or out of date failure to just bring on the HTML player. And I’ve told them I’m not exposing myself to watch things I need from them, I’m just cancelling my accounts (including my cell service provider).
Flash was great back when the best we could get in a browser was Internet Explorer 4. Modern browsers don’t need extensions like Flash and Java anymore thanks to HTML5.
Eh? I thought Internet Explorer was on its way out…
Well….It’ll still exist for years as the default Microsoft browser in Windows Vista through Windows 8.1.
For Windows 10 Microsoft renamed their new version of I.E. to Edge. Doesn’t that feel safer? Unfortunately its still just Microsoft’s next version of their browser (whatever the name).
Since its bundled with every copy of Windows, it’ll continue to be targeted for exploits by govts, bad guys etc.. Edge is the new I.E. as it were. That said some bad security issues with I.E. have been removed (ActiveX etc.) in Edge.
Edge isn’t a rebadged version of IE, it’s an entirely new new browser. Amazingly enough, it’s also compliant with web standards as opposed to making them up as IE always did.
For further proof, note that Windows 10 Pro has a hidden version of Internet Explorer in it, primarily for compatibility with the dread IE only enterprise applications.
Speaking of Flash, both Google and Mozilla have disabled it on Firefox and Chrome following the “critical” security flaw. Well, that can’t be good for those who watch Flash videos or play Flash games, huh?
http://www.dailymail.co.uk/sciencetech/article-3160644/Google-Mozilla-pull-plug-Adobe-Flash-Tech-giants-disable-program-browsers-following-critical-security-flaw.html
Thankyou ! I was looking for a link
As the SCCM / Deployments guy I was the first person for blame when flash things stopped working
I believe that Flash is doomed to be a PC relic, drowned by a flood of mobile devices devoid of Flash (thanks Steve Jobs). I read that more sites, including porn, are switching to HTML5 to be compatible. Anyway I deleted Flash and don’t intend to ever reload it. If a site doesn’t work, that’s their problem.
Brian,
When you say “exploitable”, could you describe a typical set of steps the bad guys would take to exploit the zero-day vulnerability? Do they post a Flash-based ad on legitimate sites or what exactly do they do?
Just curious…
Thanks!
To see a description of how it can work go to Brian’s earlier description of the first Hacking Team zero day that broke out into the public view:
http://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/
Click on the screenshot so you can read Hacking Team’s description (to their clients) of how to use it. The user would never know they were compromised, just visit the web page and the user is owned without his / her knowledge.
When I first saw your post, it correctly pointed me to the Java 8.u.51 updates which I downloaded at work and installed. (Yes, we use corporate apps which require Java.) By the time I got home, it appears that Java.com is now directing back to the April 8.u.45 update. Maybe you broke the Internet.
No, that is Oracle’s mistake. If you go to the See all Java downloads link on that page you should be able to get Java 8u51.
Umm, Debbie, maybe you oughta cut back on the caffeine a bit?
At least Acrobat Reader still auto-updates if you allow it.
Flash, on the other hand, stopped auto-updating again during v16. Some of the people making decisions at Adobe there need to be thrown out of the industry completely.
As for Debbie’s post. Well, it’s the Daily Mail, so expect something less than journalistic. But then, this has been the case across the board today with the ‘reporting’ on what Firefox & Chrome have done.
Firefox merely added another “click to activate” for older versions of Flash (although I’ve seen other screencaps showing that much older versions of Flash perhaps have more hoops to jump through). But older Flash versions can still be used; it was by no means disabled/blocked.
As for Java: Brian, it might be useful to point out with your link to the Java download page that, much like with Flash, the ‘online’ version will try and download unnecessary crap. If you’ve got to download & install Java, use the Windows Offline installer.
Brian,
I would like to follow your advice and remove the Shockwave Flash plug-in for Firefox. But this is not an easy procedure. Could you please explain how to do this?
Thanks for your attention.
if exist “C:\Windows\SysWoW64\Adobe\Shockwave 11” “C:\Windows\SysWoW64\Adobe\Shockwave 11\uninstall /S”
if exist “C:\Windows\System32\Adobe\Shockwave 12” “C:\Windows\System32\Adobe\Shockwave 12\uninstall /S”
Are you trying to uninstall Flash, or Shockwave?
Windows users can tell if they have Shockwave Player installed by going to Add/Remove Programs panel and checking for Shockwave.
Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.
Hello Brian,
I want to uninstall “Shockwave Flash 18.0.0.209” as listed on the Firefox Addons Manager. Beneath that name is: Shockwave Flash 18.0 r0 (in small print). I have disabled the plugin (i.e., set it to “Never Activate). I use a MacBook (OS X Yosemite).
The Flash Player itself is not on my system, or so I am told by the Adobe web page “Check” tool, which says that the Player is not installed or not activated on my system.
Still, to be sure, I would, if possible, like to remove this plugin from the Firefox Add-ons Manager list.
Thanks again for your looking into this.
The website won’t recognize that you have Flash because you disabled it.
https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html
Hello Timeless,
Thank you very much. I used the URL for the Adobe uninstaller, ran the uninstaller, and both Flash Player and the Shockwave Flash plugin were removed from my system, thanks to you. I appreciate your help.–David
You sure the .209 patch is available for IE 11 in Win 8.1 64-bit? It’s still not coming up for me in Windows Update, and I’ve already installed all the Patch Tuesday updates. I’ve already updated to .209 in both Chrome & Firefox.
The last such out-of-band patch for the integrated Flash Player lagged slightly. It’ll probably show up in Windows Update soon. You may find the Qualys Browsercheck site handy for verifying your FP version, as well as other add-ons.
Tangentially, I recommend trying ActiveX Filtering for anyone with IE installed, even if it’s not your main browser. Gear icon > Safety > ActiveX Filtering. Turning all ActiveX doodads off by default is an easy win. There’ll be a blue circle icon in the address bar when something got filtered, click that if you need to override filtering.
This month’s batch of updates went OK on the systems I’ve done so far (Win 8.1 Pro x64, Office 2010). I lean towards the “install ASAP” camp, seeing how fast the attackers can react these days.
Thanks!!! Did it with my computers.
Sadly many sites needed for corporations users like ADP or (sigh) bank sites require FlashPlayer to be installed to use their site. And I’ve even run into a few cases where they require a particular version which is not the most recent or even several versions behind.
As Brian mentioned, a solution to this is to have a dedicated Flash / Java browser that you use only for those sites and a non Flash / Java infected browser for all your other browsing needs.
I have to use I.E. with Flash and Java at work, only use it for my work sites and all external browsing I use Firefox or Opera (with Adblock Plus and Ghostery plugins installed).
You should complain to the bank and threaten to switch.
(Personally, I’d seriously consider switching too, not just threatening to switch.)
The more complaints a company gets, the more likely they are to do something.
Also, you might try forging your User Agent. The odds are that the bank supports iOS (iPhones/iPads), and since they don’t support Flash, banks can’t actually rely on it.
It’s not on a consumer level the issue lies. It is for the enterprise access. When we have to do bank wires or check uploads it requires specific versions of IE and framework plug-ins. And when a well known (HUGE) bank did an upgrade to their site they got rid of all the previous developers so there was no good transfer on their customer support staff.
Wow, I thankfully haven’t heard about ADP in ages.
Perhaps Zen Payroll? (Random hit for “ADP competitors”)
In general, complaining and threatening to go to a competitor are still the right approach, even at commercial scale (as opposed to consumer).
Unfortunately for commercial scale, there are often only a handful of providers of a given service and they all (apparently) tend to suck.
Good luck.
Note that you can set up a VM with a specific signature and IP address and a firewall which only allows it to talk to that vendor (and the Microsoft update server– presumably WSUS). Yes deadly with a couple of VMs isn’t particularly fun, but it’s probably safer to limit your exposure to smaller attack surfaces. Automated snapshots can also help…
Yes, I’ve noticed two in my immediate sphere, Consumer Cellular, whom I’ve notified twice that the only way to view their online instruction videos is through Flash, and they refuse to respond in any way, and a private marketer of financial web seminars for financial advisors.
When people like Kim Komando, and Brian, have a recommendation to avoid Flash as redundant (HTML5 works just fine), and Mozilla blocks it by default in Firefox, its risk is clearly unnecessary and bad for business. You’d think big outfits would get it, since such a good alternative is easy at hand.
Maybe they think everyone worth doing business with is on Apple products.
Then stop doing business with them and let them know why. Failing that, take steps to protect yourself.
Is it sufficient to just disable the Flash plugin, or must it be removed? Also, is Flash safe to use while browsing within Sandboxie? Thanks so much!
flash = data that executes = bad. flash = bad. disable flash.
Have no need for Java here, thankfully, and no longer have the Flash player installed, choosing instead to use Chrome and its click-to-play setting to prevent Flash content from loading.
Ironically, though, your blog posts now act as a reminder to me to check the Windows 7 virtual machine on my Mac for updates – normally, it just sits in the background, and I don’t see the Windows Update icon.
One oddity worth mentioning – I have Adobe Acrobat DC installed as part of my Creative Cloud subscription, but sadly it doesn’t get updates via the Creative Cloud desktop app, in the same way that Photoshop, Illustrator, InDesign, etc. do – you have to open Acrobat and do Help > Check For Updates from within there. I suspect that this is because Acrobat is still produced and managed by a different group within Adobe.
After installing this patch none of the browser s on my iMac are working. Everything is being timed out. Advice would be super helpful. Using my Kindle fire just to access your blog.
“Tangentially, I recommend trying ActiveX Filtering for anyone with IE installed, even if it’s not your main browser. Gear icon > Safety > ActiveX Filtering.”
Excellent advice, which all should heed, IMHO.
“The last such out-of-band patch for the integrated Flash Player lagged slightly.”
It’s lagging behind MORE than just slightly. It’s noon eastern time on the 15th and still no update for IE and Windows 8/8.1 from Microsoft. The last integrated update lagged but only by a matter of hours.
They probably won’t but I hope Microsoft adopts the Mozilla approach with respect to Flash (BLOCKED). Flash really needs to be relegated to the dust bin.
I couldn’t agree more with this piece on WIRED.com
Flash.Must.Die
http://www.wired.com/2015/07/adobe-flash-player-die/
Still no update for v18.0.0.209 for Windows 8.x.
Bump — still no update
Just checked and it’s ready now. Patch away!
Wow, Microsoft is asleep at the wheel.
There are a cibernetic attack schedualed from adobe systems, specially in the flash plugin browsers.
Why wasn’t there an updated flash for Linux?
Last was 12.2.202.481 from 7/8/15…
It seems that the Linux Adobe Flash Player is now 11.2.202.491. And I’m not sure if it was released today or yesterday. http://www.adobe.com/software/flash/about/
Interesting that the Adobe distribution page for flash has changed to https, it wasn’t that way yesterday (7/14/15)
@Brian:
The `g` in `Qualys blog` isn’t included in the link.