08
Mar 16

Adobe, Microsoft Push Critical Updates

Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.

brokenwindowsThe bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.

Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.

As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson told KrebsOnSecurity that the company will be issuing a Flash Player update on Thursday morning.

Tags: , , , , , ,

27 comments

  1. It is to Note, though, that even if one never uses IE directly it can be still used as a service by other applications.

    • Good point Chap.

    • CodeMan

      codeman@aol.com

      been that way since Win95. no surprises here. it’s a shame that they haven’t figured out how to break their bad habit of continually reusing crap code like this at MS.

      but i guess they never get past the thunking of it all

      https://support.microsoft.com/en-us/kb/155763
      How To Call 16-bit Code from 32-bit Code Under Windows.

      now they just call 32 bit from 64 bit and call it Windows 10. that’s why they give it to you for free. at least that’s what you’re supposed to believe that is happening.

      wake you neo!

      even if you turn off internet explorer, there are parts that the system needs for updates as well as the formerly known as FileManager [Explorer] which is all hard-coded into the windows system itself.

      there’s no way around it.

      all systems are by design coded this way. so pick your code poison, OS X Windows Linux Android iOS, etc. you’ve all been hooked on this stuff for years.

      look at it this way, hammers aren’t by nature a weapon, the mind and heart of the user is the weapon. the creator only had a need and created what was needed to complete a task. every bodies got free will.

      CM

      not related to the bad music of codeman.

      “i was a punk before he was a punk”

    • I have assumed that to be possible. I don’t use IE and set all Security Zones in Internet Properties to HIGH security. Am I deluding myself that this is an effective way of limiting security vulnerabilities of the IE service?

  2. I’m still loving my Chromebook!!

  3. Great post!

    Thanks a lot for this,

    http://hugecode.net/

    • That is really bad. I’m glad I only use IE on my Windows 7 machine when I come across a site that requires it.

    • Wow, that is really horrible – wrapping Windows 10 upgrade advertising inside a “security update” for I.E. 11. Zero respect for their customers and their wishes.

      Few companies show such consistent inability to make morally appropriate choices when it comes to the treatment of their customers as Microsoft. Its so long term – going back to before they were convicted of abusing their monopoly marketshare – and pervasive that it must be cultural.

      http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

      http://arstechnica.com/gaming/2012/01/how-the-next-xbox-could-stop-you-from-playing-used-games/

      I tried Linux Mint, but found out its not very good from a security standpoint. I think I’ll use this as a push to try another Linux distribution.

      • Well, the Linux Mint *website* did suffer a pretty significant hack. That lasted one day, and from what I understand, they are doing everything possible to ensure that it can’t happen again. I’ve also read that Mint tends to favor stability and reliability over security when it comes to implementing new kernels and libraries. Ubuntu (Mint’s “parent” distro) is apparently a little more daring in this regard. That being said, I don’t recall coming across any reports of major or widespread exploits in Linux Mint in the real world — except, of course, for the hacked distros that were downloaded from the hacked website that one day. I’m not remotely an expert, and I haven’t tried the 28-consecutive-backspaces-to-bypass-login trick on it, but I’d guess that Linux Mint is still more secure, overall, than any version of Windows.

    • The article is misleading – it implies that Microsoft deliberately added an unnecessary change to the security update for advertising purposes. It’s far more likely that there was a natural dependency between the two updates, and leaving the advertising component out would have involved extra work, quite possibly a significant amount of extra work if you include testing.

      (On the other hand, it’s become clear that the testing regime for updates isn’t nearly as robust as it used to be. Whether that actually means it is much cheaper, I’m not sure.)

    • It’s a sad day, when I would prefer to have Steve Ballmer back, instead of current CEO Satya Nadella. First Satya cans many of the testing and quality assurance staff. As part of cost-cutting, the developers are told to do the testing and UAT. Next he slaps gag orders on security bulletins (compare the thoroughness, details and workaround suggestions from older, pre-2014 bulletins, to what you get today). Now, he’s trying to cram Win 10 down our throats, a.k.a. the complete opposite of Listen To Your Customers.

      Satya is destroying the Microsoft brand with his actions. The lack of openness with customers on Win 10 is appalling. Such secrecy and arrogance! Granted, few have ever fully trusted MS, but thanks to Satya, we must treat every MS initiative as an enemy.

  4. For those of you who may have been using the lighting fast Comodo Dragon on Vista x64, you will receive a nasty surprise. It is truly the end for that browser on Vista – of course they are ending support in April anyway, even though they are well behind Google Chrome in development. It was the extensions that were crashing the browser, but reinstalling the basic package didn’t help, even though I removed all user profiles – it kept trying to enable added extensions. I suppose it was .NET that broke this venerable browser; any other speculation would be entertaining.

    I was able to get Chromodo to run, but it isn’t the speed demon the other browser was. Oh Well, guess its time to finally upgrade to Win 7! :(

    • Are you sure you don’t have it backwards? It’s Chrome that has openly said they’ll pull the plug in April; Firefox has said nothing (yet).

  5. I installed the new updates yesterday, minus the two that were nothing more than Window 10 nagware. They caused an Event 7001–total freeze up. Checked 7001 corrections information, but didn’t have any of the problems mentioned. Computer is two year old HP with Windows 7 Pro and Online Armor firewall. No other special add-ons.

  6. The Adobe Flash version check website still works:

    https://www.adobe.com/software/flash/about/

    But the Adobe distribution link you used to use was decommissioned on March 1st. Any news of a replacement?

    https://www.adobe.com/products/flashplayer/distribution3.html

    • Still available… but maybe not much longer, if you read the fine print. As of today, page is still serving up the latest version of Flash (21.0.0.182) for both Win and Mac.

  7. It’s worth mentioning that one of the Microsoft patches covers a flaw that affects the Mac version of Office, but the last I saw the patch wasn’t yet available

  8. Good that Windows users are considering switching to a new OS to avoid security and privacy problems. Linux offers some improvement. However, the Qubes OS was designed from the ground up to address these issues without the 0-day problems. It can run Linux and Windows apps.

    See https://en.wikipedia.org/wiki/Qubes_OS
    https://www.qubes-os.org/

  9. According to Infoworld:

    “A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java.”

    http://www.infoworld.com/article/3043064/security/two-year-old-java-flaw-re-emerges-due-to-broken-patch.html

  10. same in this post….Why the date of the post is showing as 16th march instead of today’s date which is 14th march

  11. Geez, give him a break guys. Dang, he just gave a review of a product that he has had for over a year and then asked if anyone would buy one at that price and you guys start screaming “Off with his head!” Personally, I wouldn’t care if Brian does start reviewing products because at least then I would have the opinion of a guy who clearly knows his stuff. Holy cow, if you’re that disgruntled then click somewhere else. As for me, I will continue to read.

  12. FYI: Here’s why I *always* wait at least a few days before trying to install any Microsoft updates:

    Microsoft Security Bulletin Summary for March 2016
    https://technet.microsoft.com/library/security/ms16-mar.aspx
    Published: March 8, 2016 | Updated: March 15, 2016
    Version: 2.2

    BTW, you’d think at a sharp high tech company, they might use file names like “2016-03.aspx” instead of “ms16-mar.aspx” ? Just saying… 😉

  13. I have started to believe from my 35 years in IT support that when it comes to stopping the hordes of Borgs from invading M$ products, resistance is futile.

    • I know the feeling quite well. I have already decided that there will be no more Windows for me. When what I have finally dies, that’s it.

      The thing is, it’s not just Windows. All OS’s have issues (even MAC).

      Ultimately, the only reason it feels futile is simply from so much refusal from so many people to actually learn and understand anything about technology. Most people know nothing about ASCII beyond the idea that it’s an old-school way of making funny pictures. It feels futile because most people not only refuse to take responsibility for what they have, but DEMAND Apple, Microsoft, Facebook, Sony, ISP’s, and Washington assume responsibility.