Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system. Not to be left out of Patch Tuesday, Oracle‘s chief security officer lobbed something of a conversational hand grenade into the security research community, which responded in kind and prompted Oracle to back down.
Adobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.
Adobe recommends users of Adobe Flash Player on Windows and Macintosh update to Adobe Flash Player 18.0.0.232. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.
However, I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.
If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.
If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)
MICROSOFT
Microsoft may have just released Windows 10 as a free upgrade to Windows 7 and 8 customers, but some 40 percent of the patches released today apply to the new flagship OS, according to a tally by security firm Qualys. There is even an update for Microsoft Edge, the browser that Microsoft wants to replace Internet Explorer.
Nevertheless, IE gets its own critical update (MS15-089), which addresses at least 13 flaws — most of which can be exploited remotely without any help from the user, save from perhaps just visiting a hacked or malicious site.
Another notable update plugs scary-looking flaws in Microsoft Office (MS15-081). Qualys says it appears the worst of the flaws fixed in the Office patch could be triggered automatically — possibly through the Outlook e-mail preview pane, for example.
According to security firm Shavlik, there are two flaws fixed in today’s release from Microsoft that are being actively exploited in the wild: One fixed in the Office Patch (CVE-2015-1642) and another in Windows itself (CVE-2015-1769). Several other vulnerabilities fixed today were publicly disclosed prior to today, increasing the risk that we could see public exploitation of these bugs soon.
If you run Windows, take some time soon to back up your data and update your system. As ever, if you experience any issues as a result of applying any of these updates, please leave a note about your experience in the comments section.
ORACLE
I’ve received questions from readers about a rumored software update for Java (Java 8, Update 60); I have no idea where this is coming from, but this should not be security-related patch. Generally speaking, even-numbered Java updates are non-security related. More importantly, Oracle has moved to releasing security updates for Java on a quarterly patch cycle, except for extreme emergencies (and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place).
Alas, not to be left out of the vulnerability madness, Oracle’s Chief Security Officer Mary Ann Davidson published a provocative blog post titled “Don’t, Just Don’t” that stirred up quite a tempestuous response from the security community today.
Davidson basically said security researchers who try to reverse engineer the company’s code to find software flaws are violating the legal agreement they acknowledged when installing the software. She also chastised researchers for spreading “a pile of steaming FUD” (a.k.a. Fear, Uncertainty and Doubt).
Oracle later unpublished the post (it is still available in Google’s cache here), but not before Davidson’s rant was lampooned endlessly on Twitter and called out by numerous security firms. My favorite so far came from Twitter user small_data, who said: “The City of Rome’s EULA stipulates Visigoths cannot recruit consultants who know about some hidden gate to gain entry.”
What a hole she dug herself. She needs to go.
She’s probably bleeding from the eyes. ba dah doomp!
Obviously, when you are responsible for promoting the security of products as secure as a Swiss cheese, the best thing to do is to jump the shark in a very public and ridiculous way.
If she were Ashlee(?) Simpson on SNL, she would be doing the Oracle Hoedown Hickety Hock dance step about now.
Such incompetence needs to be let off the bus at the next stop.
Her writing style shows her erratic behavior is probably the norm.
So, Oracle’s legal agreement for Java is broken too? Maybe they should switch to a license that allows legitimate security research.
I’d also heard about a java update, so I checked their page (java.oracle.com) early this morning and saw 8u60 (but didn’t download it). So I put in a change request to upgrade it on a server I maintain, checked the page later to download it, and they’d pulled the update (newest was back to 8u51). Lame.
I just leave it here:
“Researchers’ response to post by Oracle CSO Mary Ann Davidson”
http://erpscan.com/press-center/blog/researchers-response-to-post-by-oracle-cso-mary-ann-davidson
The statement that continues to strike me from Mary Ann Davidson’s rant is her assertion that Oracle “find[s] 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers.” As Alexander Polyakov’s post points out above, there are some 4,000 vulnerabilities in Oracle products on OSVDB. If we assume that makes up around 3% of actual security vulnerabilities in Oracle products, that’s well over a hundred thousand security vulnerabilities.
And Oracle’s CSO would not like any help finding them.
I find that alarming.
Maybe she should’ve said Oracle “find[s] 87% of security vulnerabilities ourselves… after hackers 0-day them and leave us no other option, that is. After consulting our lawyers, we’ve been re-writing the EULA in more languages. That will stop the hackers for SURE.”
This month’s Microsoft updates have gone smoothly on my Win8.1 / Office 2010 systems. I haven’t banished Flash Player quite yet, but I do switch it to a disabled-by-default condition in the browser. For Internet Explorer, the simple approach is to enable ActiveX Filtering (gear icon > Safety), then override with the blue circle in the address bar where necessary.
btw, does anyone know how you say “reverse-engineer” in Elvish? Tolkien missed that one…
Sindarin or Quenya?
simple math, you nailed it. Oracle\Java … making MS Windows look more secure, one vulnerability at a time. LOL
Ah, EULAs. I once worked for a software startup that made the mistake of having lawyer-type lawyers (as opposed to business-oriented lawyers) write the EULA. The EULA literally forbade the user from using the software.
Ugh… MS bundles security updates for WIN8.1 with the upgrade package for WIN10. If you’ve reserved a WIN10 copy but don’t want to upgrade just yet, make sure to uncheck the WIN10 upgrade option before proceeding.
If you get stuck with Windows 10 installed here’s a good run down of the things you can set to restore your privacy (if you had it with 8.x to begin with)…good reference:
http://www.howtogeek.com/224616/30-ways-windows-10-phones-home/
I had that happen to me with Windows 7 Ultimate. When I ran Update last night, the only things I could select or deselect were the recommended and optional updates. I wasn’t presented with the important updates. It just said there were 22(?) important updates selected. When I told it to install updates, the Windows 10 update started. I cancelled that and I don’t know how to get just the Windows 7 and Office security updates.
My Update settings are set to notify me when there are new updates but let me select the updates to download and install.
Yes no reverse engineering from part timers,leave it to full time employees at NSA and GCHQ.
Career limiting event for Ann Davidson?
In case you noticed, Google Chrome updated to Version 44 nearly a month ago, which means that it won’t auto-update when I click on “About Google Chrome” and it will always claim it’s “up-to-date”. Fortunately, I have a workaround for this problem: click on this link here: https://www.google.com/chrome/browser/desktop/index.html Then click on “Download Chrome”. Afterwards, click on the downloaded Chrome Setup, and then, after the install, click on “About Google Chrome” and click on “Relaunch” when it asks you to do so. Voila! You’ll get this new version instead of the stuck-on previous version. Hope it works for you guys.
I’ve had to resort to reinstalling Chrome in the past when it wouldn’t update itself – it could be a sign that there’s something broken in your system. I ended up doing a clean install of OS X – after making sure all my data was backed up – and that and other issues I’d been struggling with went away.
You reinstalled all of your OS because Chrome wouldn’t auto-update? Wow. Google is simply not that competent. Their update system breaks, you remove the update system, reinstall it, and the system is fixed. The problem is that Google doesn’t make removal easy because they never document a goddamn thing, and on the rare occasions when they do, they never keep the documentation up to date.
Actually, I reinstalled OS X because I was encountering issues with parts of OS X – Safari, iCloud in particular – and general sluggishness even when no applications were running.
Good god, I’ve been using OS X on multiple machines since the first public beta 15 years ago and I’ve NEVER had to reinstall OS X.
This isn’t Windows, y’know…..
Congratulations! I guess Sod’s Law decided I was having too easy a life.
Last time I reinstalled Windows, it was actually a downgrade back to Windows 7 after a few months trying to use Windows 8.
This worked for me, bringing Chrome Stable to 44.0.2403.155 m and Flash to 18.00.232 . I wonder if the Chrome update delay is simply oversight or incomplete testing of the Flash update, or an intentional delay because Chrome has found an unresolved problem with the Flash update? In the past Chrome does update itself eventually, even though one time I recall it took 4 days to do so.
I have to admit I liked reading what she said. If you look at this from a legal lens, business lens and technology lens it bears some interesting fruits. On one hand she is right that by hiring a bunch of testers you are indeed proving them with an incentive to break it and most likely it will be published and on the other you are trying to protect yourself. The real question is …. Is the car worthy enough to drive with all its flaws? You must ask yourself a few questions. If you find a flaw will you remove the product from your machine? Are you capable of finding a replacement? Are you willing to rewrite the code and develop the product yourself? Can you live without the product?
If you answer NO to these than you are not in a position to break the code and tell Oracle to piss off!
Has nobody told you that ‘security thru obscurity’ is not a valid, entitlement excuse
Was she applying for a job opening at Adobe?
They are known for having security researchers arrested for reverse-engineering:
https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.
“click to play” is also a good alternative for Flash and other potentially dangerous plugins.
Re update to Windows 10.
Have Windows 7 Home Premium.
Update to 10 failed close to 20X.
Goes thru the first two parts of the update, then fails immediately on the third part.
It gives and error #, but says “unkown error”.
The error #
C1900101-40017
Many reports, no single fix known to work for all.
Message is “C1900101-40017
Installation failed in the second_boot phase with an error during boot operation”
Microsoft’s page says that error 0x40017 is a driver problem, possibly USB
Try this suggestion –
“After the failure during the upgrade process go to advanced/startup settings and activate disable drivers signature.”
Follow threads on Microsoft forums –
http://answers.microsoft.com/en-us/windows/forum/windows_10-win_upgrade/windows-10-update-error-c1900101-40017/f11ed331-f12a-44c5-80c7-a128209027ac?auth=1
http://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-10-update-error-c1900101/366b72a6-06d5-4459-9e84-ec1adb6a91ca
http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_install/windows-10-couldnt-install-error-found-c1900-101/1d69d138-fa2d-4f95-bf7e-461c059d83ca
http://answers.microsoft.com/en-us/windows/forum/windows_10-win_upgrade/windows-10-installation-error-error-code-c1900101/2a4dba93-6a5c-4a8b-bce1-6d48615c0957
The basic advice is as always : L.G.B.Y.F.
My upgrades always stall out at a certain point. When I created installation media it actually bluescreened at the exact same point with clock watchdog timeout. I haven’t Googled it lately but when I was giving a crap about Windows 10 (in the first week or so), nobody had anything useful to say about that one.
Please keep in mind, Ms. Davidson’s rant is simply a reflection of the entitlement mentality that pervades within the executive suite of all companies.
To business executives, IT security (and privacy) issues are a “PR problem to be ‘managed’ and ‘communicated'”, not technical issues to be actually solved. Business management executives overwhelmingly believe that the best approach for dealing with these issues is simply more effective advertising to convince customers that there isn’t a problem in the first place; they view this as a much easier and more straight-forward approach compared to actually having to fix their networks (or — horrors! — modify their way of doing business).
Here are two stellar examples of precisely the same mentality :
http://www.theglobeandmail.com/report-on-business/bell-media-president-urges-behavioural-shift-to-prevent-stealing/article24783094/
and
http://www.michaelgeist.ca/2015/02/rogers-executive-calls-canadian-government-shut-vpns/
Remember — the textbook definition of a “gaffe”, in the context of a business or political leader, is “letting what you really believe, leak out in public”. That’s exactly what Ms. Davidson was doing… telling us what Oracle’s REAL philosophy on dealing with software vulnerabilities, really is.
Well, they’re very, very wealthy compared to us – so they are, in fact, entitled at least SES-wise. Unlikely loosing their jobs would reduce them out of their current SES.
Wow…After the laughter wore off I just went to Programs and Features and uninstalled Java. It will never be secure with the current thought leadership there and I might as well get used to not using it. Virtualbox is unfortunately next…
What’s wrong with VB?
I suspect the author is less than thrilled with Oracle’s approach to security and since Virtualbox is also an Oracle product, he has similar concerns about it.
All the following installed without any intervention on my part once I allowed the download/up-date.
The ADOBE up-date for Microsoft products was included in the MS up-date. The ADOBE for Firefox 39.0.3 had to be done separately, which also installed without problems.
The MS updates that were installed:
– Cumulative Update for Windows 10 for x64-based Systems (KB3081436).
– Security Update for Microsoft Silverlight (KB3080333).
– Windows Malicious Software Removal Tool for Windows 8, 8.1, 10 and Windows Server 2012, 2012 R2 x64 Edition – August 2015 (KB890830).
– Security Update for Internet Explorer Flash Player for Windows 10 for x64-based Systems (KB3087916).
===
As an aside, my only complaint so far with MSWX is that too much is hidden from the user and is done on an automated basis. Perhaps good for novices, but bothersome to pros. I have had to search for various locations that to me were more easily access able using previous versions of MS software.
Brian any idea of this guy https://twitter.com/undoxable_KiNG is the same person who got picked up for the Swatting in Houston?
My new favorite setup is to remove Flash from the computer, but leave it enabled in Chrome. Chrome auto-updates its internal copy of Flash automatically, so the user doesn’t have to know or do anything, it just fixes itself. It’s especially nice to never run the horrible Flash installer / adware stuff again! I mostly use Firefox, but switch to Chrome if a page needs Flash.
MS Windows 10 (MSWX) does that (auto-updates) also, and apparently will either notify or update other supplier’s programs and apps you may have installed also.
Hence: “– Security Update for Internet Explorer Flash Player for Windows 10 for x64-based Systems (KB3087916).”
I have my permissions set so it auto-updates some items and asks me on others.
I am not a fan of some suppliers update sites, including Adobe’s.
Based on my experience, I believe that update only applies to the Windows Store version of IE, not to IE running on the desktop. For IE on the desktop, if you’ve installed the Adobe Flash plugin, you still have to update it yourself. (Or depend on Adobe’s own automatic updater, but I’ve found that to be very unreliable.)
On Win 8, 8.1 and 10, the “desktop IE” version of Flash Player does update via Windows Update. Microsoft shipped the OS with it (for better or for worse) so they maintain it. If someone did try to run the separate Adobe Flash Player installer, they get this message:
“The installation encountered errors:
Your Microsoft Internet Explorer browser includes the latest version of the Adobe Flash Player built-in. Windows Update will inform you when new versions of the Flash Player are available.”
Good: it auto-updates.
Not so good: whether you want or not, it’s built in. Considering Windows has a ten-year lifecycle, I personally think that was a bad move, but it’s too late now.
Workaround: enable ActiveX Filtering and/or disable it in Manage Add-Ons.
Except when it doesn’t. See the thread above talking about how after updated to 44.x auto-updates fail. I too had to manually download the Setup file and re-run to get the latest Flash update in Chrome. Test at the Adobe site and most likely you will see you are not current.
How dumb of Mary Ann, smart companies offer “bug bounties” to security researchers, she would rather piss them off. Maybe it’s time for her to quit her day job and take up her real passion, writing fiction.
Thank you for this Brian
(and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place)
That made me smile
I’m wondering if HTML5 will do any better than Flash. I think we should go back to the the horse and carriage, or HTML, TXT, and Images or maybe just TXT.
AHhhh so nice not to have any more updates for flash. I got my peaceful Sundays back, not having to work on my kid’s messed up computer! Flash Be Gone for good.
As for Microsoft, that’s another story……..
The world’s favorite seems to be linux mint nowadays (see distrowatch). That’s how I avoid Microsoft pain ever since starting to read Brian’s information. Thanks, Brian.
Oracle is constantly making new Java versions available between releases, but they’re only accessible if you have a paid account. I don’t doubt that there’s an 8u60 but because she wrote this they pulled it to hold off for 61 ;-P
Java 8u60 is now available.
http://www.java.com/en/download/manual.jsp