Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.
According to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among others.
A critical fix for a Windows graphics component addresses flaws that previously showed up in two public disclosures, one of which Shavlik says is currently being exploited in the wild (CVE-2015-2546). The 100th patch that Microsoft has issued so far this year — a salve for Windows Media Player – fixes two different vulnerabilities that were publicly disclosed before today (CVE-2015-2509 and CVE-2015-2504).
In other important patch news today, Adobe has released a security update for its Shockwave Player browser plugin. If you need this program, then update it; the latest version is v. 22.214.171.124. But in my experience, most users don’t need it and are better off without it. For more on what I say that, see Why You Should Ditch Adobe Shockwave.
Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.
I agree completely about the (lack of) security in Flash and Shockwave.
For those readers who need it, however, you might want to suggest a few ways to make them a little less dangerous. They all involve configuring the browser (or installing add-ons) in a way that the plugins will only load for web sites you explicitly authorize.
Firefox has a built-in mechanism called “Ask to activate”. From the about:addons page, click on “Plugins” (in the left-side margin) to see a list of installed plugins. Each one can be set (via a menu on the right-side) to “Always Activate”, “Never Activate” or “Ask To Activate”. Always and Never do what you’d expect – the plugin will always load or will never load on a page that requests it. Ask will initially cause the page to load without the plugin, but Firefox will place an icon to the left of the location bar indicating that there are plugins on the page. You can select one and configure it to load for that session only or whenever that page is viewed.
Ask To Activate works well, but I don’t use it because it’s an all-or-nothing proposal. You have to allow or deny all instances of a plugin on a page. If you’re viewing a page with an embedded YouTube video that needs Flash, the act of enabling Flash for that page will also enable it for banner ads which contain unwanted content (including possible malware.)
For myself, I use the Flashblock add-on ( https://addons.mozilla.org/en-US/firefox/addon/flashblock/ ). With this, you leave Flash (and Shockwave, if you have it) set to always activatge. The Flashblock add-on will replace all Flash and Shockwave objects with placeholder objects. If you click on the placeholder, then that object (and no other blocked objects) will load. This way, you can load only the object you care about and none others. You can also configure a whitelist, so objects from sites you trust will always load and (my favorite part) you have the option to apply the whitelist to the source of objects (the object’s server, which is often different from the server hosting the page that embeds it.) This means you can (for example) whitelist YouTube, allowing all YouTube videos to play, wherever they are embedded, but without allowing Flash from other sources (e.g. advertisements) to load, even if they are on the same page.
Although it’s clearly not as secure as just disabling/deleting Flash, I think using Flashblock is a pretty good compromise, as long as you’re careful to only whitelist sources that you know you can trust.
The press has been full of reports this weekend describing this update as forcing installation of data collection features akin to Windows 10, on Windows 7 and 8x machines. (see, for example, http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/ and http://www.techtimes.com/articles/82619/20150908/microsoft-vs-privacy-windows-10s-controversial-tracking-tools-hitting-windows-7-8.htm)
Aside from the fact that MS corporate types may be marginally more polished than the criminal hackers lurking in moms’ basements all over the world, I would like to hear a discussion of why Microsoft finds it justified to push software through these updates that strips personal data from users, phones it home to their data center, and uses it for who knows what purpose. Are there any cyber-savvy attorneys here? Why is that not “theft of service” or a violation of our reasonable expectation of privacy at the very least? Are the FTC and the Department of Justice aware of this mass effort to strip personal data from individual users? And I’m not interested in hearing about how that theft is being conducted for the “users’ good.” I’m too experienced to buy that argument.
When I purchase a refrigerator, I don’t expect the manufacturer to show up at my door and force his way inside to see what I put in it so he can analyze my diet and sell me more food. Likewise, I don’t think it is legitimate for Microsoft to force its way onto my operating system (for which I paid a substantial sum, in good faith), strip the data residing there at will, and take it for whatever purpose it chooses. Obviously there are measures that those who read this blog can take to counter this if desired (hello Linux), but the vast majority of users won’t know they are being cyber-stalked and observed by a formerly trustworthy organization.
This is a sad and shameful development.
You seem more than a touch paranoid. Wrap your foil a little tighter.
He’s not being paranoid. All the stuff that Microsoft added to Windows 10 that you can’t turn off and is sending information to Microsoft has been backported to Windows 7 & 8.x via updates:
Fortunately you can uninstall the updates (do some digging and you can find the udpate numbers – its like 4 of them), but its sad Microsoft did this.
Then I am sorry to bust your little bubble, but Apple does the exact same thing and was doing it long before Microsoft.
Do a search for Apple forces updates and you will find well over 200,000 links on just google as well as a few of them come directly from the Apple forum and Apple themselves.
Now while I dont want a forced update either, I cant see why people like you are going after MS, and not doing the same thing in attacking Apple for doing it first.
Did you read the post before commenting on it? He’s specifically complaining about forced updates that collect and distribute personal data.
Saying that, I’m not entirely sure that you’re right about Apple forcing updates in the general case either. I’m paranoid about that sort of thing and can’t remember it being an issue. I only have experience with OSX though – are you referring to iOS?
I think you probably misunderstood him Dan, he was talking about all the stuff added to Windows 10 (and now found to have been back ported to v7 & v8.x) that sends your personal information back to Microsoft that you can’t turn off. With Microsoft’s history it can be a bit disconcerting:
Apple doesn’t do that with OS X at all…anything they have being sent back (which is significantly less to begin with) can be turned off by the user easily and its off.
As to updates on OS X (Apple’s PC platform), its entirely up to the user…you choose whether to install updates or not…what Microsoft is doing with Windows 10 on forced updates to PC’s is something new on that platform. And considering they’re consistent ability to make good moral choice when it comes to the privacy of their customers personal data its probably not a good thing (just be glad we’re not in a totalitarian state where Microsoft just hands that stuff over as part of their commercial bargain to sell there).
Just been reading on another website about the 3 KB’s that came out recently, they urge to either not install or uninstall. Interested to read others views on this.
Unless sites provide the Privacy Act of 1974 Protection, then your expectation of privacy should be null and void once you connect an unconnected computer to the internet.
We deal with this by running these lines as part of our Group Policy computer startup scripts (we also have stuff that strips out the crapware from new PCs, etc) (disclaimer – these lines are provided as-is with no guarantee they won’t delete all of your data, brick your PC, start a global thermonuclear war, molest your pets, and / or produce any other negative outcomes you can or cannot imagine):
REM Remove Microsoft Spyware
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart
wusa /uninstall /kb:3068708 /quiet /forcestart
wusa /uninstall /kb:3022345 /quiet /forcestart
Don’t forget KB3035583, the wonderful ‘Upgrade to Windows 10’ nagware.
You should never install the “recommended updates” period. Never! Read the description of each one and see if it specifically applies to you and is absolutely necessary. I’m no fan of MS, and agree they are malicious towards their users many times. And they have been injecting spyware into windows 7 and trying to make the 17 update process frustrating by taking forever it seems since w10 has come out. But even for me this is a little overhyped. I did see that telemetry update, and I chose to hide it…
People calling this unscrupulous, should also be educating their listeners to never install recommended updates, only critical ones.
The problem with ‘recommended’ updates is they eventually move to “Important” and get lost in the shuffle. Most of the KBs above were in the “Important” group just now when I ran Windows Update on Win7.
Echo, good rant !!
“Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.”
I wish. I use two different crossword puzzle sites that only work if Flash is enabled. I’d love to deep-six Flash, but I can’t. Instead, I have Flash set to ask for permission on every site. It’s kind of a pain, but what can you do?
It’s a common misconception, but Flash is NOT Shockwave. The two plugins, despite the Flash plugin sometimes being called the “Shockwave Flash” plugin, are completely different. You’d be hard pressed to find a website today that actually uses Shockwave.
From Brian’s article,
“Mozilla Firefox users should note that the presence of the ‘Shockwave Flash’ plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.”
Flash is not Shockwave, but they call it Shockwave Flash for what, backwards compatibility reasons??
The Adobe product naming convention makes as little sense as their version numbering systems… 😉
Anyone else having issues with the updates? I installed all the non-.NET ones first which I seem to remember Brian recommended before. Then restarted and tried to install the 3 .NET updates but it hung trying to install the 3rd one. No error message, just stopped on the normal window saying “Installing update 3 of 3”.
The situation is still the same – bad.
MS15-094 – Cumulative Security Update for Internet Explorer it is common for versions 7, 8, 9, 10 and 11. Thus, the vulnerabilities was in, source sometime in 2003-5.
Such errors in IE (6, 7, 8, 9, 10, 11) was several hundred.
Similar situation is in the operating system. (MS15-097, 098, 101, 102, etc,).
In ten years (from Vista and IE 7) hackers have enough time to get to the source code, the preparation of the malicious program and a good test.
Flash – this is a tragedy (in terms of number of errors). If it was a plane, the FAA locked Flash into the hangar and throw away the key.
According to the graph from this page on Adobe’s website -https://www.adobe.com/products/shockwaveplayer/shockwaveplayerstatistics.html – Shockwave usage was only 41% in 2011, compared to 99% for Flash. I’m guessing that both those figures will have dropped a fair bit in the intervening years.
The relevant Wikipedia page for Shockwave – https://en.wikipedia.org/wiki/Adobe_Shockwave – makes for interesting reading – I’d not realised how far the technology went back in time – but also lists the reasons why it has fallen out of favour.
Having said that, Adobe’s Shockwave Player forum over on their website at https://forums.adobe.com/community/shockwave seems to be pretty active. Considering that the Shockwave Player won’t work in 64-bit web browsers, or at all in Google Chrome, I’d imagine that would limit the potential user base even more. But it appears that some people are *still* using it. Go figure.
This is why I do not upgrade VMWare vSphere 5.5 or 6.0. Who wants to use their crappy flash based web interface. Long live the vSphere C# client!!!!!
I too was completely baffled when they went to the Flash-based VIC. Tragic. The administrative interface for Horizon View is Flash too, and has always in my experience been massively slow and clunky.
I also think it’s about time for KrebsonSecurity to publish an article about all the spay-ware and other questionable updates that MS is pushing on us in the last few months …
It would by a long list. Is several favorites MSIE v.6-11, Windosw Vista -8,1 (XP-8.1), JAVA a Flash.
Analysis and repair of source codes of this programs, solve more than half of the problems with virus or hacker attacks.
Shockwave is no longer support in Chrome so users need to use IE for example where it still is.
If you try using Shockwave in Chrome you will get errors or be prompted to download an unusable file.
Ever since Windows 10 it seems Microsoft has gotten worse and not better. All I see is that over paid CEO who wants to control everything. I say he should be making $30,000 a year no bonuses and the rest should go back to the people who have received or bought windows 10 a letter saying we messed up you deserve better and then give them a food card with $100 on it.
One of Microsoft’s’ August 11 updates removed the WU notification icon from the notification area (Windows 7 computers, at least). The icon now is listed as “inactive”. This is not only disconcerting; it is a potential disaster for users who set Windows Update to “Check for updates, but let me choose whether to download and install them”. In the absence of notifications, those users may incorrectly assume that there are no updates to be installed.
One of the August 11 updates was KB3075851, described as an update to “Windows Update Client”. I haven’t verified that this is the source of the issue, but in any case the absence of WU notification icon is disturbing and potentially very problematic.
Since installing M$’s August 11 updates on my (five) Windows 7 machines, I have noticed that the WU notification icon no longer appears in my system trays. The icon is listed as “inactive”. WU can be invoked from the Control Panel, but there is no longer any notification when new updates become available.
The August updates included KB3075851, described as an update to Windows Update Client. I have not verified that this item killed the notification-area icon, but I think that’s quite possible.
In any case, current the absence of a notification icon for WU is a potential security risk for many users. Anyone who set his/her machine to “Check for updates but let me choose whether to download and install them” may now be under the illusion that there are no available updates, since the notification area no longer apprises users of their availability. Sure, you can go to the Control Panel and manually invoke Windows Update, but less savvy users, who don’t do this, are likely to end up with compromised machines before long.
Yes, this happened to me as well, and I’m surprised to have seen so little about it. I uninstalled one of the suspected updates (I can no longer remember which one), and it completely borked my computer, so I went back to a restore point. Unfortunately I lost all of my Windows Update history, but at least my computer works. I just have to remember to check WU once in a while because I no longer have the icon reminding me. The icon was annoying, anyhow, because I never update until they have been out for about 3 weeks.
Microsoft also posted Silverlight 5.1.40813.0 on 9/1, retracted it 9/3, posted 5.1.40904.0 on 9/9, retracted it 9/10, and is currently back to 5.1.40728.0 of 8/11. (Silverlight is the only way to stream Netflix on older Macs and PCs.)
“(Silverlight is the only way to stream Netflix on older Macs and PCs.)”
Too bad they didn’t keep up with their Moonlight plugin:
Just more of the s[h]ame.
I was just wondering if these MS spyware updates were causing my problem? A few months back I noticed that unique invoice codes (UUID codes, each unique and unguessable) given to our customers were appearing in our web logs and were coming from Microsoft Bing IP addresses! They had hundreds of our customer codes, and these codes were never given out to anyone except the customer. How did they leak? Turns out they didn’t…
It transpired that Microsoft software (browser, chat, Skype, Outlook, Hotmail etc) was intercepting hyperlinks as customers were clicking on links, and were passing them back to Microsoft without the user knowing!
When I reviewed our code, we had the invoice code in a hyperlink within a email body, to make clicking it more easy, but of course what happened next is that Bing was “discovering” the URLs and trying to index them. Microsoft were spying on customers.
Microsoft should be sued for this, it is a gross breach of privacy and I would warn all webmasters to check their codebase and check their logs! It would be easy to set up a honeypot to test this.
I complained to Microsoft and they gave me dumb answers all the time, like it was my fault for putting the links on our website – but of course we did NOT ever do this. I emailed the new MS CEO and escalated the issue and eventually, after a month of arguing, they conceded that they “auto discover” URLs by “other means”, and not just spidering websites with their search engine.
Microsoft don’t have a Bing department it transpires, so it’s very difficult to get support. The entry-level tech team for Bing and SEs are really, really bad (sorry, but they are).
Disgusting behaviour and to think that MS openly criticise Google, and they are just as bad, if not worse!
Could Krebs cover this story perhaps?