Adobe has issued security updates to fix weaknesses in its PDF Reader and Cold Fusion products, while pointing to an update to be released later this week for its ubiquitous Flash Player browser plugin. Microsoft meanwhile today released 16 update bundles to address dozens of security flaws in Windows, Internet Explorer and related software.
Microsoft’s patch batch includes updates for “zero-day” vulnerabilities (flaws that attackers figure out how to exploit before before the software maker does) in Internet Explorer (IE) and in Windows. Half of the 16 patches that Redmond issued today earned its “critical” rating, meaning the vulnerabilities could be exploited remotely through no help from the user, save for perhaps clicking a link, opening a file or visiting a hacked or malicious Web site.
According to security firm Shavlik, two of the Microsoft patches tackle issues that were publicly disclosed prior to today’s updates, including bugs in IE and the Microsoft .NET Framework.
Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.
On the Adobe side, the pending Flash update fixes a single vulnerability that apparently is already being exploited in active attacks online. However, Shavlik says there appears to be some confusion about how many bugs are fixed in the Flash update.
“If information gleaned from [Microsoft’s account of the Flash Player update] MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th,” Shavlik wrote. “With this in mind, the recommendation is to roll this update out immediately.”
Adobe says the vulnerability is included in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS, and that the flaw will be fixed in a version of Flash to be released May 12.
As far as Flash is concerned, the smartest option is probably best to hobble or ditch the program once and for all — and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.
If you use Adobe Reader to display PDF documents, you’ll need to update that, too. Alternatively, consider switching to another reader that is perhaps less targeted. Adobe Reader comes bundled with a number of third-party software products, but many Windows users may not realize there are alternatives, including some good free ones. For a time I used Foxit Reader, but that program seems to have grown more bloated with each release. My current preference is Sumatra PDF; it is lightweight (about 40 times smaller than Adobe Reader) and quite fast.
Finally, if you run a Web site that in any way relies on Adobe’s Cold Fusion technology, please update your software soon. Cold Fusion vulnerabilities have traditionally been targeted by cyber thieves to compromise countless online shops.
The Flash update is not yet available. According to Adobe the Flash update will be available “As early as May 12th.”
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
It is available for Windows 8.1 users. I just got it offered and downloaded.
True, but the plug in version (Firefox/Chrome), is not out yet.
After updating Windows 10 x64 Home earlier this afternoon, IE11 Flash is at version “21,0,0,241 installed” even though Adobe does not show this version yet.
Also, Windows 10 x64 Home Edge browser Flash is also upgraded to “version 21,0,0,241 installed”. I almost never use Edge, but checked it now out of curiosity.
Really disgusted with Microsoft. This morning May 17, Microsoft downloaded automatically Windows 10 and with it downloaded Flash!
For the last year my life on Sunday mornings has been peacefull since uninstalling
Flash from my kids computer. No Sunday’s cleaning out her virus’
Using latest Mac OS how does Sumatra
Mesh with Windows Word?
Macintosh users don’t need Adobe Acrobat as Apple’s Preview is built in.
Win10 users don’t need it either unless they need advanced features. Edge will open PDF’s in the browser. Windows explorer will also preview it in the preview pane.
What do you mean by mesh? Is .pdf not a format that Word for OS X can open and save as?
This morning, I checked my Adobe Distribution page and there were new Flash updates for ALL platforms, including even a new updated Extended Support version. I decided I’d download them later. When I checked later on today, they had all been withdrawn, and the message put up about May 12th. I have to assume they those of you that got a new player today may not be totally protected, as Adobe pulled the updates for some reason. In the past we’ve seen this happen as an update either (1) doesn’t completely fix the problem, or (2) has other issues and/or vulnerabilities.
Adobe reader direct download link
http://ardownload.adobe.com/pub/adobe/reader/win/AcrobatDC/1501620039/AcroRdrDCUpd1501620039.msp
Adobe Acrobat 11.0.16 Pro does not work. Had to downgrade again to 11.0.15 Pro…
What kind of problem did you have with Adobe Pro 11.0.16? We deployed it within our IT department and have not seen any issues (yet).
I don’t like the DC version of Acrobat, but the version before it was ever introduced, still functions well.
I don’t want or need “cloud” feature(s).
Amen
“Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.”
How do you do this on Windows 10?
Unfortunately, unless you are running Windows 10 Enterprise, you can’t pick and choose which updates to install.
My Surface Pro 3 will automatically get updated the next time I use it.
If your experience is like others’ experiences, let us know if it gets corrupt-dated.
Mike,
Are you referring to the May 2016 updates in particular, or just updates in general, on the Surface Pro 3?
Mike,
FYI, my Surface Pro 3 got auto-updated without any issues.
On Windows 10 Pro, if you turn off automatic updates, can’t you delay the installation of individual updates?
No Longer. Initially one could, however Redmond found that far too many were failing to download and up-grade the important patches and changes. Remember, Windows 10 is designed as a ‘Living’ Operating System, not static like all the many previous operating system programs designed for a far simpler time.
Evince (free & open source) for Windows/Linux):
“Simply a document viewer
Evince is a document viewer for multiple document formats. The goal of evince is to replace the multiple document viewers that exist on the GNOME Desktop with a single simple application.
Evince is specifically designed to support the file following formats: PDF, Postscript, djvu, tiff, dvi, XPS, SyncTex support with gedit, comics books (cbr,cbz,cb7 and cbt). For a comprehensive list of formats supported, see Supported Document Formats[1][2].”
= Downloads:
https://wiki.gnome.org/Apps/Evince/Downloads
[1] https://wiki.gnome.org/Apps/Evince/SupportedDocumentFormats
[2] https://wiki.gnome.org/Apps/Evince
Hi there,
I take it that this Vuln affects IE8 as well and therefore this would be a zero day with no fix for those who continue to use IE8? (as IE8 is gone EOL)
Hi Brian,
Thanks for the reminder about the Sumatra PDF Reader — it’s so much better than that bloated and insecure monster Adobe Reader, and I first learned about it on your web site quites some time ago…
Free PDF Reader – Sumatra PDF http://www.sumatrapdfreader.org/free-pdf-reader.html
Thanks again for all your ongoing excellent advice and reminders!
+1 to everything in this comment.
Worth adding: one reason Sumatra is small and fast and lacks for vulnerabilities is because it’s pretty much bare bones. There are other readers with more features, for example, Nitro
https://www.gonitro.com/pdf-reader
It’s on my machines too, and I use it, but I doubt more than 10 times per year. Sumatra’s my default, and most of the time, it’s all I need.
I recently set up a new Windows 10 system. After setting dozens of options to match my work needs, I began using it. I was called away for 15 minutes. When I came back it had rebooted. Lost the arrangement of several dozen programs I was working with, and lost some data in a few.
Who at Microsoft thought that was a good setting for Windows Update?
What is the real threat? Windows 10. Yeah, I know actually getting a virus would be worse, but what if the patch had blue-screened on reboot while I’m in the middle of a time critical project?
(I have since fixed the offending Windows Update setting)
And, you have to keep after your settings. Every time you update, they want control of your machine. It’s not like XP/7, set and forget. Each time you restart, start and boot, they, MS, wants to control. Almost new Asus,laptop. Nvidia with touch, wow!!! But try and dual boot, like mint, but have to have MS. MS don’t like mint, and neat, MS don’t like defender, zone alarm, and clamwin, dang, with that…
Adobe had Flash update 21.0.0.240 posted on their distribution site yesterday but have since removed it.
“Adobe says the vulnerability is included in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS…”
Version .226 is available only for Firefox and Safari on OS X, for some reason. The PPAPI for Chrome (but not for other Chromium-based browsers) is at .216 and everything else is at .213.
Why do people still even use windows?
Because, patti, it’s the only system that works well. I tried various Linux flavors and they all lacked features that Windows has by default, such as software compatibility and installable printer drivers, to name a few. Why on earth would I want to have a machine that strips my nice Canon 3-in-1 printer, copier and fax machine down to a printer only? That’s what happens with Linux’s generic printer driver. Then there’s issue of no Veracrypt software available for any system except Windows. I have a couple of encrypted Veracrypt containers that contain vital mission-critical data that I use on a daily basis that can’t be opened in Linux. Forget about Apple, I have zero interest.
Has the trojan Win10 upgrade KB been identified yet, so it can be avoided? (last time, they imbedded it in a ‘critical’ IE update)
This time it wasn’t .NET that borked my PC, but one of the cumlative IE-9 updates. I kept getting weird failure messages when I tried to restore back, but in fact it did restore fine. It is about to drive me insane. I need to upgrade to Win 7 in the worst way! I haven’t even had time to look at flash!
Adobe has published the newly-revised (re-revised?) Flash updates (to v21.0.0.242), still available for direct download from the following link:
https://www.adobe.com/products/flashplayer/distribution3.html
What is the best recommendation for trying to get off Adobe Reader/Flash for business use? I feel like we are constantly trying to fight this battle for security, but in the end we will always lose with Adobe products.