February 10, 2016

Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.

brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

brokenflash-aPatch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

33 thoughts on “Critical Fixes Issued for Windows, Java, Flash

  1. Arbee

    Adding to your updating delights, about a week ago, Microsoft released EMET v5.5 (dated 29 Jan 2016):


    EMET v5.2 (the previous version) was released 16 March 2015. EMET v5.5 beta has been available for a while. I haven’t found any setting / service / alert within EMET to learn about updates. Periodically, I check manually for EMET updates. I’m unaware of any significant change from v5.2 to v5.5 beta apart from support for W-10, hardly unimportant, but if you’re not using W-10….

    One noteworthy difference introduced in EMET v5.5: if you’re currently using EMET, transferring settings from earlier versions (including v5.5 beta) to v5.5 is apparently somewhat more complex than simply exporting / importing an .xml file. RTFM.

    My experience with EMET v5.5 was brief. Under W-7 (both 32- and 64-bit Pro / SP-1), v5.5 installed but failed after re-booting. (Anticipating one line of inquiry: yep, .NET Framework installs are topped off.) I uninstalled EMET v5.5 — it apparently left no unwanted spoor — and reinstalled v5.2, easily done because I’d exported / saved a v5.2 .xml configuration file BEFORE installing v5.5.

    As with prior EMET versions, there’s an option to separately download the .pdf v5.5 User’s Guide. With previous versions of EMET, there was no need: you got the User’s Guide as part of an installation. Perhaps you want to read it before you install / update? Hmmn, reading the User’s Guide first; such a quaint concept! Strangely, though installing v5.5 adds a User Guide entry to the start menu and “User Guide” is offered in EMET’s GUI … there’s no User Guide. I added the (separately) downloaded User Guide to the installation directory and the links functioned. I sure am glad Microsoft worked out the kinks in the v5.5 beta version.

    As I mentioned above, one significant change v5.5 brings is support for W-10. Perhaps under post-W-7 OS’s, EMET v5.5 is stable, indeed, an improvement to v5.2. My experience under W-7 suggests sticking with EMET v5.2 if you’re not using a later OS. YMMV, and I’d like to read about other users’ encounters with EMET v5.5.

    1. Isaac

      Thanks for the heads-up on EMET. I was running EMET 5.5 beta on W10 and had forgotten to inquire about updates. Just installed the released version: 5.5.5871.31892 thanks to your tip! Installed just fine over 5.5 beta auto-magically (I just use recommended settings).

    2. somguy

      And in case, like me, you didn’t know what EMET is and it’s not mentioned even once in the comment, it’s
      “Enhanced Mitigation Experience Toolkit”

      1. Isaac

        Just a FYI for anyone not familiar with EMET – click on the link “Arbee” provided in his EMET comments above.

        Pretty much everything you need to know about EMET is right there.

    3. CooloutAC

      Ya, if you don’t use windows 10 or alot of microsoft programs I wouldn’t bother with 5.5 One of the bad things about it is that it requires secondoary logon service to be on, which is a huge security risk. It took me a while to figure out why the EMET_service wasn’t even starting…

      Not to mention its also buggy as hell and I don’t even think it works right on my win 7 machine.

      IMO it is better to use 5.2 if you use windows 7.


  2. Paul

    I stopped using Flash, yeah some sites still use it but I don’t need it and it stays unplugged. Thanks for your information.

  3. Charlie

    The Java Control Panel on my computer tells me that I have the recommended version of Java, but that it is Java 8 Update 71, not Update 73. It seems to check as whenever I open the Control Panel, but there’s no other way to force it to check.

    (For the record, I use the Control Panel to keep Java turned off at all times unless I’m logging into one of the rare sites that requires it.)

  4. Old School

    Much ink has been spilled on the subject of Patch Tuesday while nothing is said about Cleanup Monday, the day that a significant preparatory function is performed. Cleanup Monday is the day that the “Free up disk space” option of Administrative Tools is used to run disk cleanup executed with the cleanup system files option. Various groups of files are made available for deletion with the Service Pack backup and the Windows Update cleanup groups having the largest amount of data. The later reuse of the freed space could improve performance by reducing seek time for the HDD folks and additional free space is always welcome. As for the deleted files, their likely need is minimal because the software that has replaced them has been running for nearly a month thus providing more than enough time for problems to have surfaced.

    1. Somguy

      True, but with modern computers typically coming with 500gb drives or more, the need for cleanup of such small amounts is greatly reduced. Also most windows computers will automatically defrag to help prevent hdd slowdown.
      Plus the real space hog on a windows computer that’s been running a while is the winsxs folder, which MS doesn’t have a supported way to cleanup. Yes, supposedly it’s supposed to symbolic link to duplicate files to reduce space, but it’s not good at that. The actual space used by it on my computer is in the tens of GB.
      That said, most computers in a work environment are probably ok with that, since they don’t have tons of programs installed and uninstalled frequently. And a work computer can just be reimaged if there’s an issue.

  5. Carol Finch

    I keep getting notices that I haveerrors on my computer… this is 2 programs from microsoft… driver up date and slim cleanup

    1. Somguy

      I don’t think MS has any such program called “slim cleanup”
      Sounds more like a adware/malware program that’s a fake cleaner. I suggest doing some research on it, see WTF it is

  6. timeless

    @Brian, there are used to be two additional places where code related to the flash runtime lived: Adobe Reader and Adobe AIR.

    https://helpx.adobe.com/acrobat/using/flash-player-needed-acrobat-reader.html indicates that Reader is no longer bundling its own Flash engine.

    http://www.adobe.com/devnet/air/articles/getting_started_air_as.html — ActionScript, the underlying scripting language+vm is still used in Air, so, there’s probably an update needed for it, although like Java w/o a browser plugin, as long as the apps are local and don’t interact w/ anything*, it’s less of an issue.

  7. Mike

    I have absolutely no faith in the idea that updating anything actually improves security or enhances levels of safety when online. Although I do believe in the utter futility of installing more software for the perceived control of poorly written code that so many people are convinced they need. This constant process of updating is perhaps the single biggest point where Brian Krebs and I just don’t see eye to eye on. That’s fine. I simply see it differently. It all comes down to who has control of what.

    I run across Mac devotees all the time who believe that they made a wise choice in going with Mac simply based on the fact that their machine runs fast and smooth even as it becomes quite old. That if they had a Windows based computer, it would have destroyed it self years ago. Never once giving any consideration to how these machines get used. Never once thinking about the idea that with just a few choices made different, a Windows machine could just as easily last forever. I have WinXP machines that bootup within just a few seconds and run as smooth as crystal. Along with Linux computers that are work horses. Keep them dust free, feed them clean power, and understand their needs and you will certainly get your money’s worth out of it. There are no updates that can make up for any of that.

    With that said, get rid of Java. Get rid of Flash. Put as much distance between you and IE as you can along with any Adobe product. Take control of your network and filter out all that unneeded junk. You will become a much more satisfied user.

      1. Mike

        What exactly is there that confuses you so much? Care to explain yourself? I thought I was quite clear and reasonable.

  8. James

    Much as I’d love to be rid of Flash, one of the biggest and busiest websites in the UK (bbc.co.uk) uses it as its standard. Converting the site to HTML5 is not going to be a quick or easy job…

    1. BrianKrebs Post author

      in your case, one way to mitigate the issue is to use virtualbox to run flash in a browser on a linux OS that just resets every time you reboot the virtual machine. Use that on pages/sites that don’t work without Flash and ridiculous amounts of javascript turned on. Like linkedin, facebook, twitter, hootsuite, etc. works for me, but your mileage may vary. that reminds me, I need to do a tutorial on this.

    1. Bruce Hobbs

      Why would Ubuntu be different from other operating systems? If you don’t need Java, uninstall it. If you do, read what Brian suggests in the post above.

  9. Jay

    Re your EMET link, for everyday users (not developers), which of these half dozen should we pick?
    Here is the MS url from which the list comes:

    General information for Enhanced Mitigation Experience Toolkit:
    Enhanced Mitigation Experience Toolkit
    Enhanced Mitigation Experience Toolkit
    About This Video The Enhanced Mitigation Experience Toolkit (EMET) is a utility designed to help IT Professionals protect systems from common threats.

    Enhanced Mitigation Experience Toolkit 4
    Enhanced Mitigation Experience Toolkit 4
    1 Introduction The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent attackers from gaining access to computer systems.

    Enhanced Mitigation Experience Toolkit 2.0
    Enhanced Mitigation Experience Toolkit 2.0
    In August 2010 we released the new version of EMET with brand new mitigations and a new user interface experience. Two new mitigations are included in this version …

    Enhanced Mitigation Experience Toolkit 5
    Enhanced Mitigation Experience Toolkit 5
    3 Enhanced Mitigation Experience Toolkit 5.2 User Guide and call all the handlers on each exception record. Since the attacker controls one of the records, the OS

    Technet forums – Enhanced Mitigation Experience Toolkit …

    1. Arbee

      I’m inferring from your query that you’re not currently running any version of EMET, that you’re considering installing EMET, and you’re wondering which version to install. For better or worse, all the Microsoft links I’ve found to EMET versions earlier than v5.5 yield no joy. The only active Microsoft link — the one in my initial comment — offers EMET v5.5 and, based on Isaac’s comment, v5.5 apparently works under W-10.

      If you’re running an earlier Windows version and you’d like EMET v5.2, none of those links are active. Which is to say: if you’re currently running EMET v5.2, doing nothing may be the best thing to do.

      (As an aside, if you’re running XP and you’d like EMET v4.1, you have more profound security considerations than EMET can address.)

      Related to my infelicitous experience with EMET v5.5 under various installs of W-7, the initial release of EMET v5.2 resulted in what I’d describe as a “Go figure!” moment: EMET v5.2 crashed Internet Explorer. There was a subsequent re-release of v5.2 (same version number) that played well with Internet Explorer. I haven’t received any secret communication from the folks in Redmond, but if my experience with EMET v5.5 under W-7 isn’t anomalous, I expect there’ll be some sort of fix. Eventually.

      Worth keeping in mind: EMET is free.

      I hope this helps.

      1. CooloutAC

        I’ve had bad experiences with 5.5 on win 7 also. Very buggy when adding apps, crashes alot, doesn’t seem to work sometimes. . It also requires secondary logon service to be started to even start the emet service, which makes no sense to me because it is a security risk.

        I think its best to stick with 5.2 if you have win 7.

Comments are closed.