July 14, 2015

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.


Adobe’s Flash patch brings Flash to version on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.

everyonegetsapatchIf you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.

Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.

Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.


brokenwindowsWith today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.

Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.

Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.

More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.


Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.

javamessThe latest version, Java 8 Update 51, is available from Java.com. But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).

The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

70 thoughts on “Adobe, MS, Oracle Push Critical Security Fixes

  1. Mr Trump, Millionare, I own a mansion and a yact

    I had 29 Microsoft updates on my Windows 8.1. , and think half of them where for the Windows 10 install coming on July 29th

    1. Anonymous

      Apparently you don’t own a dictionary.

  2. Bob

    I wish the browsers would set flash disabled as the default like they did with java. I’ve had flash disabled for a year (except on one browser that I only play a flash game on) and I haven’t missed it. If anything, it means I see less ads on the screen.

  3. Tim

    Does this latest Adobe Flash update cover the third zero-day referenced in your previous post.

  4. BrianKrebs Post author

    yes, it covers all of the recent zero-day Flash flaws that we know about so far.

    1. Chris

      With an emphasis on the ‘know about so far.’ Something tells me more are right around the corner…

    2. James

      I checked Java

      and their latest version is Java 8 45..

      i don’t see any java 8 51? they took it down or something?

  5. Tim

    I didn’t see any update for Linux this morning.
    The is from July 08, 2015.
    Were they not affected by these zero-days.

  6. Debbie Kearns

    Why do you keep making mistakes in your blogs for Flash Player Updates? You keep putting quotes in “About Google”, but never in “About Google Chrome”, because because the quotes you put always end after “Google” instead of “Chrome” It’s supposed to say “‘About Google Chrome'” , NOT “‘About Google’ Chrome”! Please stop messing up the quotation marks, okay?

      1. Alex Blackwell

        And you thought you left editors behind when you left the Washington Post.

      2. Debbie Kearns

        Apology accepted, Brian. You’re still cool.

  7. Jimbo

    Oh stop with the Flash bashing. It’s excellent software and spurred the digital media revolution.

    1. Rick

      “It’s excellent software and spurred the digital media revolution.”

      Yeah, it’s the Battleship Potemkin of software….

    2. Canuck

      If it was a car it would be called the Flash Lemon.

      Like Java it’s a terrible piece of software that has never been secure. I won’t drive in a car where the wheels are likely to fall off every second week, would you?

    3. markD

      You use your legacy 1920s no-dial wall phone too? Everyone who knows what they are talking about (as far as I can see) is advising to drop Flash. Yes the Gutenberg typesetter has the great historical honor but no one is silly enough to expose themselves to the cost of using it. I have two providers still not providing the alternative HTML player, and both have lost business from me because of their lackadaisical or out of date failure to just bring on the HTML player. And I’ve told them I’m not exposing myself to watch things I need from them, I’m just cancelling my accounts (including my cell service provider).

    4. SalSte

      Flash was great back when the best we could get in a browser was Internet Explorer 4. Modern browsers don’t need extensions like Flash and Java anymore thanks to HTML5.

    1. Sasparilla

      Well….It’ll still exist for years as the default Microsoft browser in Windows Vista through Windows 8.1.

      For Windows 10 Microsoft renamed their new version of I.E. to Edge. Doesn’t that feel safer? Unfortunately its still just Microsoft’s next version of their browser (whatever the name).

      Since its bundled with every copy of Windows, it’ll continue to be targeted for exploits by govts, bad guys etc.. Edge is the new I.E. as it were. That said some bad security issues with I.E. have been removed (ActiveX etc.) in Edge.

      1. SalSte

        Edge isn’t a rebadged version of IE, it’s an entirely new new browser. Amazingly enough, it’s also compliant with web standards as opposed to making them up as IE always did.

        For further proof, note that Windows 10 Pro has a hidden version of Internet Explorer in it, primarily for compatibility with the dread IE only enterprise applications.

    1. Jason

      Thankyou ! I was looking for a link
      As the SCCM / Deployments guy I was the first person for blame when flash things stopped working

  8. Phoenix

    I believe that Flash is doomed to be a PC relic, drowned by a flood of mobile devices devoid of Flash (thanks Steve Jobs). I read that more sites, including porn, are switching to HTML5 to be compatible. Anyway I deleted Flash and don’t intend to ever reload it. If a site doesn’t work, that’s their problem.

  9. Leo


    When you say “exploitable”, could you describe a typical set of steps the bad guys would take to exploit the zero-day vulnerability? Do they post a Flash-based ad on legitimate sites or what exactly do they do?

    Just curious…


    1. Sasparilla

      To see a description of how it can work go to Brian’s earlier description of the first Hacking Team zero day that broke out into the public view:


      Click on the screenshot so you can read Hacking Team’s description (to their clients) of how to use it. The user would never know they were compromised, just visit the web page and the user is owned without his / her knowledge.

  10. Stratocaster

    When I first saw your post, it correctly pointed me to the Java 8.u.51 updates which I downloaded at work and installed. (Yes, we use corporate apps which require Java.) By the time I got home, it appears that Java.com is now directing back to the April 8.u.45 update. Maybe you broke the Internet.

    1. DF

      No, that is Oracle’s mistake. If you go to the See all Java downloads link on that page you should be able to get Java 8u51.

  11. Steve

    Umm, Debbie, maybe you oughta cut back on the caffeine a bit?

  12. Deadite

    At least Acrobat Reader still auto-updates if you allow it.

    Flash, on the other hand, stopped auto-updating again during v16. Some of the people making decisions at Adobe there need to be thrown out of the industry completely.

    As for Debbie’s post. Well, it’s the Daily Mail, so expect something less than journalistic. But then, this has been the case across the board today with the ‘reporting’ on what Firefox & Chrome have done.

    Firefox merely added another “click to activate” for older versions of Flash (although I’ve seen other screencaps showing that much older versions of Flash perhaps have more hoops to jump through). But older Flash versions can still be used; it was by no means disabled/blocked.

    As for Java: Brian, it might be useful to point out with your link to the Java download page that, much like with Flash, the ‘online’ version will try and download unnecessary crap. If you’ve got to download & install Java, use the Windows Offline installer.

  13. David

    I would like to follow your advice and remove the Shockwave Flash plug-in for Firefox. But this is not an easy procedure. Could you please explain how to do this?

    Thanks for your attention.

    1. Thomas

      if exist “C:\Windows\SysWoW64\Adobe\Shockwave 11” “C:\Windows\SysWoW64\Adobe\Shockwave 11\uninstall /S”

      if exist “C:\Windows\System32\Adobe\Shockwave 12” “C:\Windows\System32\Adobe\Shockwave 12\uninstall /S”

    2. brian krebs

      Are you trying to uninstall Flash, or Shockwave?

      Windows users can tell if they have Shockwave Player installed by going to Add/Remove Programs panel and checking for Shockwave.

      Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

      1. David

        Hello Brian,

        I want to uninstall “Shockwave Flash” as listed on the Firefox Addons Manager. Beneath that name is: Shockwave Flash 18.0 r0 (in small print). I have disabled the plugin (i.e., set it to “Never Activate). I use a MacBook (OS X Yosemite).

        The Flash Player itself is not on my system, or so I am told by the Adobe web page “Check” tool, which says that the Player is not installed or not activated on my system.

        Still, to be sure, I would, if possible, like to remove this plugin from the Firefox Add-ons Manager list.

        Thanks again for your looking into this.

          1. David

            Hello Timeless,

            Thank you very much. I used the URL for the Adobe uninstaller, ran the uninstaller, and both Flash Player and the Shockwave Flash plugin were removed from my system, thanks to you. I appreciate your help.–David

  14. RBBrittain

    You sure the .209 patch is available for IE 11 in Win 8.1 64-bit? It’s still not coming up for me in Windows Update, and I’ve already installed all the Patch Tuesday updates. I’ve already updated to .209 in both Chrome & Firefox.

    1. mechBgon

      The last such out-of-band patch for the integrated Flash Player lagged slightly. It’ll probably show up in Windows Update soon. You may find the Qualys Browsercheck site handy for verifying your FP version, as well as other add-ons.

      Tangentially, I recommend trying ActiveX Filtering for anyone with IE installed, even if it’s not your main browser. Gear icon > Safety > ActiveX Filtering. Turning all ActiveX doodads off by default is an easy win. There’ll be a blue circle icon in the address bar when something got filtered, click that if you need to override filtering.

      This month’s batch of updates went OK on the systems I’ve done so far (Win 8.1 Pro x64, Office 2010). I lean towards the “install ASAP” camp, seeing how fast the attackers can react these days.

  15. Chris

    Sadly many sites needed for corporations users like ADP or (sigh) bank sites require FlashPlayer to be installed to use their site. And I’ve even run into a few cases where they require a particular version which is not the most recent or even several versions behind.

    1. Sasparilla

      As Brian mentioned, a solution to this is to have a dedicated Flash / Java browser that you use only for those sites and a non Flash / Java infected browser for all your other browsing needs.

      I have to use I.E. with Flash and Java at work, only use it for my work sites and all external browsing I use Firefox or Opera (with Adblock Plus and Ghostery plugins installed).

    2. timeless

      You should complain to the bank and threaten to switch.

      (Personally, I’d seriously consider switching too, not just threatening to switch.)

      The more complaints a company gets, the more likely they are to do something.

      Also, you might try forging your User Agent. The odds are that the bank supports iOS (iPhones/iPads), and since they don’t support Flash, banks can’t actually rely on it.

      1. Chris

        It’s not on a consumer level the issue lies. It is for the enterprise access. When we have to do bank wires or check uploads it requires specific versions of IE and framework plug-ins. And when a well known (HUGE) bank did an upgrade to their site they got rid of all the previous developers so there was no good transfer on their customer support staff.

        1. timeless

          Wow, I thankfully haven’t heard about ADP in ages.

          Perhaps Zen Payroll? (Random hit for “ADP competitors”)

          In general, complaining and threatening to go to a competitor are still the right approach, even at commercial scale (as opposed to consumer).

          Unfortunately for commercial scale, there are often only a handful of providers of a given service and they all (apparently) tend to suck.

          Good luck.

          Note that you can set up a VM with a specific signature and IP address and a firewall which only allows it to talk to that vendor (and the Microsoft update server– presumably WSUS). Yes deadly with a couple of VMs isn’t particularly fun, but it’s probably safer to limit your exposure to smaller attack surfaces. Automated snapshots can also help…

    3. markD

      Yes, I’ve noticed two in my immediate sphere, Consumer Cellular, whom I’ve notified twice that the only way to view their online instruction videos is through Flash, and they refuse to respond in any way, and a private marketer of financial web seminars for financial advisors.

      When people like Kim Komando, and Brian, have a recommendation to avoid Flash as redundant (HTML5 works just fine), and Mozilla blocks it by default in Firefox, its risk is clearly unnecessary and bad for business. You’d think big outfits would get it, since such a good alternative is easy at hand.

      Maybe they think everyone worth doing business with is on Apple products.

      1. Rick

        Then stop doing business with them and let them know why. Failing that, take steps to protect yourself.

  16. Anon

    Is it sufficient to just disable the Flash plugin, or must it be removed? Also, is Flash safe to use while browsing within Sandboxie? Thanks so much!

  17. anonymous

    flash = data that executes = bad. flash = bad. disable flash.

  18. Alan Ralph

    Have no need for Java here, thankfully, and no longer have the Flash player installed, choosing instead to use Chrome and its click-to-play setting to prevent Flash content from loading.

    Ironically, though, your blog posts now act as a reminder to me to check the Windows 7 virtual machine on my Mac for updates – normally, it just sits in the background, and I don’t see the Windows Update icon.

    One oddity worth mentioning – I have Adobe Acrobat DC installed as part of my Creative Cloud subscription, but sadly it doesn’t get updates via the Creative Cloud desktop app, in the same way that Photoshop, Illustrator, InDesign, etc. do – you have to open Acrobat and do Help > Check For Updates from within there. I suspect that this is because Acrobat is still produced and managed by a different group within Adobe.

  19. gyan

    After installing this patch none of the browser s on my iMac are working. Everything is being timed out. Advice would be super helpful. Using my Kindle fire just to access your blog.

  20. John J

    “Tangentially, I recommend trying ActiveX Filtering for anyone with IE installed, even if it’s not your main browser. Gear icon > Safety > ActiveX Filtering.”

    Excellent advice, which all should heed, IMHO.

  21. John J

    “The last such out-of-band patch for the integrated Flash Player lagged slightly.”

    It’s lagging behind MORE than just slightly. It’s noon eastern time on the 15th and still no update for IE and Windows 8/8.1 from Microsoft. The last integrated update lagged but only by a matter of hours.

    They probably won’t but I hope Microsoft adopts the Mozilla approach with respect to Flash (BLOCKED). Flash really needs to be relegated to the dust bin.

  22. rei

    Still no update for v18.0.0.209 for Windows 8.x.

      1. mechBgon

        Just checked and it’s ready now. Patch away!

  23. adobe unemployment

    There are a cibernetic attack schedualed from adobe systems, specially in the flash plugin browsers.

  24. Tim

    Why wasn’t there an updated flash for Linux?
    Last was from 7/8/15…

  25. KrebsFan

    Interesting that the Adobe distribution page for flash has changed to https, it wasn’t that way yesterday (7/14/15)

  26. timeless


    The `g` in `Qualys blog` isn’t included in the link.

Comments are closed.