July 13, 2016

Adobe has pushed out a critical update to plug at least 52 security holes in its widely-used Flash Player browser plugin, and another update to patch holes in Adobe Reader. Separately, Microsoft released 11 security updates to fix vulnerabilities more than 40 flaws in Windows and related software.

brokenflash-aFirst off, if you have Adobe Flash Player installed and haven’t yet hobbled this insecure program so that it runs only when you want it to, you are playing with fire. It’s bad enough that hackers are constantly finding and exploiting zero-day flaws in Flash Player before Adobe even knows about the bugs.

The bigger issue is that Flash is an extremely powerful program that runs inside the browser, which means users can compromise their computer just by browsing to a hacked or malicious site that targets unpatched Flash flaws.

The smartest option is probably to ditch this insecure program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach — as well as slightly less radical solutions — in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart.

Happily, Adobe has delayed plans to stop distributing direct download links to its Flash Player program. The company had said it would decommission the direct download page on June 30, 2016, but the latest, patched Flash version for Windows and Mac systems is still available there. The wording on the site has been changed to indicate the download links will be decommissioned “soon.”

Adobe’s advisory on the Flash flaws is here. The company also released a security update that addresses at least 30 security holes in Adobe Reader. The latest version of Reader for most Windows and Mac users is v. 15.017.20050.

brokenwindowsSix of the 11 patches Microsoft issued this month earned its most dire “critical” rating, which Microsoft assigns to software bugs that can be exploited to remotely commandeer vulnerable machines with little to no help from users, save from perhaps browsing to a hacked or malicious site.

In fact, most of the vulnerabilities Microsoft fixed this Patch Tuesday are in the company’s Web browsers — i.e., Internet Explorer (15 vulnerabilities) and its newer Edge browser (13 flaws). Both patches address numerous browse-and-get-owned issues.

Another critical patch from Redmond tackles problems in Microsoft Office that could be exploited through poisoned Office documents.

For further breakdown on the patches this month from Adobe and Microsoft, check out these blog posts from security vendors Qualys and Shavlik. And as ever, if you encounter any problems downloading or installing any of the updates mentioned above please leave a note about your experience in the comments below.

43 thoughts on “Adobe, Microsoft Patch Critical Security Bugs

  1. andrea

    when will google chrome update the plugin for adobe flash?

    1. BrianKrebs Post author

      Looks like Google is in the process of pushing that out

      “The Stable channel has been updated to 51.0.2704.106 (Platform version: 8172.62.0) for all Chrome OS devices except Lenovo ThinkPad 11e Chromebook and Samsung Chromebook Series 5. This build contains a number of bug fixes, security updates, and feature enhancements. Systems will be receiving updates over the next several days.”


      1. twinmustangranchdressing

        That’s an update to Chrome OS, not Chrome, the web browser.

        1. twinmustangranchdressing

          However, Google may update the Flash Player PPAPI for the Chrome browser without formally updating the browser itself. (It has done so in the past, at least.)

        2. SeymourB

          Chrome’s been updated to 51.0.2704.106 on Win64 and OS X.

          1. twinmustangranchdressing

            Thanks. There’s still no mention of a stable channel update on the Chrome Releases blog, though.

          2. twinmustangranchdressing

            Actually, now that I’ve scrolled down to earlier posts on the Chrome Releases blog, I see a post announcing version 51.0.2704.106 was posted back on June 23.

      2. twinmustangranchdressing

        Good to see my comment appear right away after I tried posting a couple of comments without success on the Narconon SEO piece (which, by the way, still has displayed a couple of spam comments).

      3. twinmustangranchdressing

        Yesterday, Google made available an update in the stable channel for the Chrome web browser. This was the first update since well before Adobe released this update for Flash Player. I sure hope Google put out an update to the Flash Player PPAPI well before this Chrome update.

        P.S. There’s a spam comment elsewhere among these comments. (And there are still a couple of spam comments on your Narconon SEO article.)

  2. andrea

    thank you very much. without you we would not know when to up date!!!!!!!!!!

    1. Henry Winokur

      Generally, the patching world revolves around Microsoft, and their day (currently) to patch is the 2nd Tuesday of the month…AKA “Patch Tuesday”. Look for others to patch around that time, too. 🙂

  3. Carol Fehrle

    Brian, we are looking for a speaker to talk on the subject of cybersecurity. We will be hosting a luncheon for our small business customers and thought cybersecurity would be a VERY appropriate topic.

    Could you please get in touch and let me know if you do this type of thing?

    Thank you,
    Carol Fehrle, SVP/COO
    Quail Creek Bank

  4. Peter

    Just ditch Flash player and be rid of it.
    I’ve been without it for close to a year now and have not missed it.
    It is only rarely that I cannot watch a video, and it’s good to know what sites to avoid that way.

    1. Soy Tenley

      Websites that show rainfall patterns and movement of storm systems use Flash.

    2. Brent

      Peter, unfortunately that’s just not an option for business/enterprise users who require it to interact with vendor/client Flash apps or conduct research. The best we can do is block, patch and pray.

    3. Mike

      Some educational sites (e.g. NASM.org) still host their videos using Flash. This is unfortunate.

      To use one such site, I had to re-install Flash. Of course, I set it to “ask to activate,” etc. However, then other sites like YouTube which no longer require Flash will see that I have it and refuse to use HTML5, opting for delivery over Flash. While certain educational sites need to switch away from flash, the sites like YouTube that are flexible need to switch to where Flash is not the default distribution.

      1. SeymourB

        Sometimes its possible to deal with the HTML5/Flash issue via an extension. For example, I know of one plugin that can force YouTube to run over HTML5 or Flash with no more than a button toggle.

    4. Mike

      I do agree with you. Getting rid of it is better. However, as long as adobe offers it and so many websites use it; so will a large number of users. It is unfortunate and sad but it is just simply reality. It is difficult for my to listen to a company tell me that they take security seriously while still not only ‘using’ it but ‘requiring’ it. Meanwhile, home users would rather spend all of their time chasing their tale in a rat race of updating AV software to mitigate all the things that would go away if (oh only if!) they would just remove Flash all together and learn that most of these Flash based websites are NOT worth the danger they put themselves in. It will likely be those very same people complaining about and paying large sums of money for hacked/unusable devices and equipment. Oh well, I guess it doesn’t matter much anyway. Their computer was already on it’s last legs and was already about to be replaced (while living on a fixed income). As for work computers…..new machines are not in the budget and there isn’t any way at all of making any member of management actually understand that there is a very real problem that can be easily fixed.

  5. andrea

    still no update on chrome about adobe flash. what is taking so long. they should of updated already.

    1. Steve

      Calm down there little buddy… The chrome browser has been updated. Relax!

      1. twinmustangranchdressing

        Did Google increase the version number of the Chrome browser or did it only update the Flash Player PPAPI?

  6. Wayne

    I’ve had problems trying to install Flash for Firefox on my Vista-era machine. The updates for June and July have forced my Firefox to freeze and crash. I’ve tried everything (including deleting and re-installing both Firefox and Flash), but the same freezing and crashing happens, with a box asking me if I want to continue running the script, and it takes several tries to shut down Firefox. Since I can no longer get updates for Chrome, I had to switch over to Opera, but from what I see, they no longer update their browser for Vista machines, either.

    1. twinmustangranchdressing

      shows that there’s an Extended Support Release, version, of the Flash Player plugin. Presumably, that means this version doesn’t have the latest bells and whistles but it does have all the security patches. Maybe you should give it a try (after first uninstalling whatever version you currently have). You can find a download link on the page at
      under “Flash Player archives” although there’s only one link for version while there should be two versions of that version, one for Firefox, et al, and another for Internet Explorer.

      1. Wayne

        I went to the archived Flash page, downloaded a .zip file, but for some reason, extracting the file didn’t load into Firefox. I just have a bunch of unzipped files in a Download folder, but I don’t know what to do next.

        1. twinmustangranchdressing

          I have a Mac, not a PC, but here’s what I can figure out or surmise. I figure the files that contain _winax in their file name are installers that install the Active X plugin for Internet Explorer. The file for Mac with mac_sa in its file name is a disk image that contains Flash Player as a standalone (hence, the sa) app (which can be used to play compatible files without launching a web browser). The file with win_sa in its filename must be the version of the standalone app for Windows or the installer that installs the standalone app for Windows. I guess that
          is the installer that installs the plugin for Firefox, et al, so try running it.

          1. Wayne

            I tried it, the NPAPI did install, but I got the same result: crashing with a pop-up repeating if I wanted to stop the script. I’m beginning to believe the problem is with Firefox, instead.

            Thanks for your help, anyway.

            1. twinmustangranchdressing

              You’re welcome. It seems that if you want to browse the web with a browser that’s still being supported with security patches and you want to have Flash Player installed on such a browser, you’re stuck with the most recent version of Internet Explorer that runs on Vista. (However, Microsoft will end support for Vista in January.) Otherwise, maybe you can browse using Firefox without Flash Player, download (where possible) the content you want to access and play it with a standalone version of Flash Player. (Maybe you can paste the URL where such content is located — not to be confused with the URL of the webpage on which that content is displayed — into standalone Flash Player.) Or check out Mozilla’s support forum for Firefox.

  7. ethical hacking courses

    In a surprise turn according to experts, Adobe Reader bugs highlight the Patch Tuesday for July 2016 as Microsoft’s Patch Tuesday release includes only 11 total bulletins, six of which were rated critical.

    Adobe Flash vulnerabilities were the star of last month’s Patch Tuesday and experts said Adobe Reader hadn’t seen critical flaws in three months. However, Adobe’s July security bulletin for Acrobat and Reader takes on a total of 30 common vulnerabilities and exposures (CVEs), including critical vulnerability fixes for Adobe Acrobat DC and XI and Adobe Reader DC and XI on both Windows and Mac platforms.

  8. Kevin

    Amazingly, it’s firms like this that cater to healthcare providers that are still using Flash for its video vs. HTLM5. It would be nice for someone such as yourself to contact or put a nice piece of pressure on them publicly to have them change the way they do business. After all, their clients are only protecting PHI.

    They are Everyone’s a Caregiver (everyonesacaregiver.com) and Custom Learning Systems (customlearning.com).

    We’ve tried telling them and get “dead air” canned responses.

  9. Dennis Kavanaugh

    Two interesting points: (1) does anyone else find it odd that Microsoft and Adobe find about the same number of flaws each month, and provide patches? Are these new, or is it actually that they decided some time ago to limit the resources spent finding and fixing bugs because of my next point. (2) This is an example of the free market system failing us. As with the original intent of the term ‘utility’, these guys have built a product that most of the world relies on, and they can produce insecure code very cheaply thereby increasing their profits while spending little fixing the bugs, and we continue to use the product. It is not easy to walk away from Adobe, and even more difficult to walk away from Microsoft, so the notion that ‘the customer speaks with their wallet’ fails us. Sad indeed.

  10. David

    I have ditched Flash…no issues. Win10 made it easy. The majority of websites show no loss of function. Thanks for pushing that issue Brian.

  11. Wayne

    I’m running Vista and as of Friday afternoon, I have not received my monthly Microsoft updates.

    1. twinmustangranchdressing

      Does Microsoft Update run without a problem but report that there are no updates available? If Microsoft Update is behaving differently than this, maybe malware is to blame.

      1. Wayne

        Noticed the regular Friday Windows Defender icon didn’t show today, so I went to take a look…no settings had been changed, but there had been no daily automatic checking for Windows updates of any kind since Tuesday morning, and the nightly offline 2 AM Defender scan hadn’t happened since Tuesday night. However, I am still able to get updates for my Trend Micro security suite and Malwarebytes. Ran those two as well as a scan with the latest Defender, but nothing came up. It’s frustrating, considering I know that the End of Life for Vista was supposed to be next January. I can’t find malware of any kind.

  12. andrea

    so when is google chrome going to update so adobe flash will be update???? and steve you can keep your little budddy infored if you want.it friday and no update from google chrome.

  13. timeless

    @Brian, you’re missing a closing parenthesis:

    > Internet Explorer (15 vulnerabilities and its newer Edge browser (13 flaws).

  14. Tim

    I actually had a situation earlier where Chrome updated, but Flash stayed at the old version. I did some searching and found out that you can put “chrome://components” (without quotes) in the address bar, and that will show you what version of flash you’re running and allow you to manually check for updates independent of the usual update process. Hope it helps someone else.

  15. Chris Pugson

    WINDOWS 7 UPDATE PROBLEMS and a source of valuable help

    I got home from vacation on 21 July having missed Patch Tuesday. I ran the Windows 7 update utility and it ran and it ran ad infinitum. I then remembered looking at http://wu.krelay.de/en/ where I found advice on how to resolve a similar problem two months previously.

    I found that a Windows kernel driver update which was on the July 2016 Patch Tuesday updates list needed to be manually installed. I downloaded KB3168965 for Windows 7 (64-bit) and installed it according to the guidance from http://wu.krelay.de/en/

    On restarting Windows 7, I ran the Windows update utility and the relevant updates were speedily identified, downloaded and installed.

    It seems to be becoming a habit of Microsoft to offer updates which cannot be implemented because one of the updates on the list is pre-required. My trust in Microsoft’s competence is rapidly evaporating.

    I leave it for others to judge Microsoft. I am posting this to draw your attentions to the indispensible http://wu.krelay.de/en/ which allows me to continue to obtain and install Patch Tuesday updates for Windows 7.

  16. Cyber_Bruce

    Looks like Adobe stopped Reader update support for Windows XP browsers (FF, IE, Opera, Chrome). Every time I go to the Adobe download site for the latest update it only shows ver. 11.0.8 — when the latest version actually is 15 something. And they never tell you that the 11.0.8 is NOT the latest version — and they never tell you they stopped all Reader update support for XP.

    Beyond being sociopathically callous — it’s irresponsibly dangerous for Adobe to be so profoundly indifferent.

  17. JimV

    At some point in the last few weeks, Adobe released a Flash update to v22.0.0.210, but only for the ActiveX version. Just checked the direct download page (still claiming to be decommissioned “soon”) and discovered the non-AX version remained at 209 but the AX version had been patched.

Comments are closed.