November 9, 2016

Let’s get this out of the way up front: Having “2016 election” in the headline above is probably the only reason anyone might read this story today. It remains unclear whether Republicans and Democrats can patch things up after a bruising and divisive election, but thanks to a special Election Day Patch Tuesday hundreds of millions of Adobe and Microsoft users have some more immediate patching to do.

As the eyes of the world stayed glued to screens following the U.S. presidential election through the night, Microsoft and Adobe were busy churning out a large number of new security updates for Windows, MS Office, Flash Player and other software. If you use Flash Player or Microsoft products, please take a deep breath and read on.

brokenwindows

Regularly scheduled on the second Tuesday of each month, this month’s “Patch Tuesday” fell squarely on Election Day in the United States and included 14 patch bundles. Those patches fixed a total of 68 unique security flaws in Windows and related software.

Six of the 14 patches carry Microsoft’s most’s-dire “critical” label, meaning they fix bugs that malware or miscreants could use to remotely compromise vulnerable PCs without any help from users apart from maybe visiting a hacked or malicious Web site.

Microsoft says two of the software flaws addressed this week are already being exploited in active attacks. It also warned that three of the software vulnerabilities were publicly detailed prior to the release of these fixes – potentially giving attackers a head start in figuring out how to exploit the bugs.

MS16-129 is our usual dogs breakfast of remote code execution vulnerabilities in the Microsoft Edge browser, impacting both HTML rendering and scripting,” said Bobby Kuzma, systems engineer at Core Security. “MS16-130 contains  a privilege escalation in the onscreen keyboard function from Vista forward. That’s great news for anyone running touchscreen kiosks that are supposedly locked down.”

As part of a new Microsoft policy that took effect last month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). 

brokenflash-aIt’s important to note that several update types won’t be included in a rollup, including those released for Adobe Flash Player on Tuesday. For the second time this month, Adobe issued a critical update for its ubiquitous Flash Player browser plugin. The newest Flash version — v.  23.0.0.207 and available here for both Windows and Mac computers — plugs at least nine more flaws in Flash. To see if you have Flash installed and if so what version is running, check this link.

Google users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Somehow KrebsonSecurity neglected to mention the other critical update Adobe pushed for Flash on Oct. 26, 2016 (my bad folks, sorry). It’s really hard to keep up with Flash updates sometimes. That’s part of the reason I’ll continue to encourage readers to disable or remove Adobe Flash unless until it is needed for something specific. Fewer sites now require it, and leaving this buggy, powerful program enabled all the time is just asking for security trouble. Check out the advice at A Month Without Adobe Flash Player for tips on how to hobble or do without Flash entirely.

Indeed, Google reportedly is planning to phase out full support for Flash on its Chrome browser by the end of 2016. And Mozilla is now blocking certain Flash content deemed “not essential to the the user experience.” Specifically, as stated by Mozilla’s Benjamin Smedberg, Mozilla Firefox is blocking specific Flash content that is invisible to users.

“This is expected to reduce Flash crashes and hangs by up to 10%. To minimize website compatibility problems, the changes are initially limited to a short, curated list of Flash content that can be replaced with HTML,” Smedberg wrote back in June. “We intend to add to this list over time.”

For more on this week’s patches, check out coverage from security firms Qualys and Shavlik. And, as always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.


39 thoughts on “Patch Tuesday, 2016 U.S. Election Edition

  1. IRS ITUNE cards

    Adobe Flash should be banished off the internet for good.

  2. RC

    It was those on the Marxist left–who were the cause of the divisiveness–they lost America wins.

    1. Sam

      Fascism is what capitalism begins turning into when it starts failing.

    2. Harry Dyke

      Putin got exactly what he wanted, that’s for sure. #RiggedByRusssia

    3. NotMe

      Still Russian trolls stalking websites fomenting divisiveness.
      America will survive.
      It does not matter who you voted for now.
      It matters what you do tomorrow.

  3. Tom Van Beek

    Ha – I took the hook… and opened the email just because it said “U.S. Election Edition”. I guess a good journalist is always working on that headline to grab your attention. It worked. I wonder how many phish attempts will leverage the same ploy today.

  4. Debbie Kearns

    Well, today I installed the Windows Rollout Update, and when I restarted my computer, the Windows Audio Service was not running because the update must have stopped it. Fortunately, I ran “services.msc” and had to restart the Windows Audio Service by right-clicking on “Windows Audio Service” and clicking on “Restart”, and behold, the audio is now working again. This is weird.

  5. Jay

    Sorry if this is a beginner question but … I have a laptop with windows 8.1. I control the admin account, but I use a standard account normally. When I try to install an update, the User Account Control dialog box comes up, and I have to choose between “Connect a smart card” or put in the admin password.

    I don’t have a smart card, so I put in the password. But as soon as I do, it blankly acts like I didn’t type the password at all.

    Microsoft updates will ask, “Are you sure you want to cancel the update?” Java updates will say “Update cancelled by user”. But I didn’t cancel, I typed the password like it asked.

    I am sure I am using the right password because it works fine if I just log into the computer as admin, not trying to install anything.
    Sometimes if I try the update like 10 times, it will eventually work. For whatever reason.

    How do I fix this, or do most people on win8 just log in as admin every week to do their patches?

    1. SeymourB

      I would verify that you’re typing the right username and password combo, typing the admin password while using your standard user account name won’t work. You can also try the trick of your system name followed by \ and then the username (e.g. testsystem\testadmin).

      I know there’s an option in Windows 7 to allow any user to install updates on the system, its probably still around in group policy if not still a selectable option.

    2. JCitizen

      What you are describing can be summed up as “just that Windows thing” Who knows what makes it brain fart? If I were you, I would have upgraded to Win10, because at least it has a lot of forum information out there on fixing weird things like that.

      No more Mr. Fix it!! I really miss that tool!

  6. elkhorn

    After this forced update in the middle of the night, my system (win 10 pro) rebooted, and in the morning I was presented with a black screen with the rolling balls at the bottom of the screen. After an hour, they were still there.

    I forced a power-off / reboot. After the POST, I got the same screen with the balls.

    Again, I forced a power-off / reboot after 10 minutes of this silliness.

    This time, windows came up “normally”…

    Any idea what’s going on here / insight into this behavior?

    Thank you. Elkhorn

    1. nullzilla

      There’s a bug with Logitech wireless USB dongles, unplugging them should fix the spinning dots. Try installing latest Logitech Setpoint software for a long term solution.

      1. elkhorn

        nullzilla –

        Hey, thanks for the hint.

        I’m d/l the latest logitech software and will try installing it. If course, I prolly not be able to test it until the next forced sys update…

        Thanks. Elkhorn.

    2. Dirgster

      I have the same problem with my Windows 10 system every time I need to restart after Microsoft’s updates. The computer will freeze, showing the rotating download icon on a black screen. When forcing a shutdown, then restarting as soon as the computer shuts off, the system comes back to life again. Here is what I believe causes the problem: It’s most likely my external hard drive that interferes with the restart, and I wonder whether you also have one connected to the PC. If I disconnect the external hard drive before restarting, the restart will progress as expected. You might want to try that route.

    3. dcmargo54

      I had the same issue and it took me quite a while to figure out what it was. Turns out my Logitech wireless mouse receiver was causing the problem. Somehow it was causing an issue where the drivers would get stuck loading. As soon as I would unplug the USB receiver from the computer it would spring back to life. Replaced the mouse and haven’t had the issue again.

  7. Ashley White

    Jay7. Trade your laptop in, get away from Windows 8.1. Thats about the best advice I have for you 🙂

  8. Columbus_viaLA

    Brian, you seem to have ceased mentioning that, if you have IE and, e.g., Firefox, you have to do a separate Flash update download from each browser.

  9. Drone

    Hillary gets trumped at the polls, and the very same day we get a bunch of Flash vulnerabilities. She’s one angry vindictive woman that one!

  10. Andrew

    Hi Brian. Apologies for being a bit off the topic, but do you think these things may be related?

    Oct 11, White House Vows ‘Proportional’ Response for Russian DNC Hack -http://www.wsj.com/articles/white-house-vows-proportional-response-for-russian-dnc-hack-1476220192

    Oct 21, Is Russia Behind the Massive DDoS Cyber Attack? –
    http://heavy.com/news/2016/10/ddos-attack-cyber-russia-false-flag-us-putin-trump-obama-cia-north-korea-poodlecorp-netflix-twitter/

    Nov 09, Russia’s Central Bank reports DDoS-attack on major banks – https://www.rt.com/news/366172-russian-banks-ddos-attack/

  11. elphen

    I’m taking security more seriously now. Just found this site and will be here frequently. Thank you Brian for your thoughtful and well-written work.

    I need advice on securing PCs on my home LAN. All machines are Windows 10. All are running on the default type of account (owner semi-admin?).

    I did not set passwords. But I think “simple file sharing” is disabled.

    Now I want to be sure that a virus on one machine cannot propagate to another. Two questions:

    1) Am I already protected from this? I’m pretty sure that a user on one machine cannot simply browse to another over the LAN.

    2) If I do need to set individual user passwords, will that prevent propagation?

    I’m asking because one machine did pick up a key-logger that stole Steam login creds, and I was amazed that no security software out there could detect it! I tried every major package and several specialty utils, and extensive log / autoruns analysis etc. I finally reinstalled Windows.

    That seems to have fixed it but I’m concerned that the KL may have spread, and want to be better protected if this happens again. Hence my LAN question.

    Thanks for any advice.

  12. Old School

    The following series of events indicates that the Windows 7 patch bundle was released after Patch Tuesday, November 8, 2016. Here is the story. I have Windows 7, Windows Update set to “Never check for updates” because of the Windows 10 misery. On October 29 I ran Windows Update and installed KB3192403. On 11/09/2016 I ran Windows Update and only got KB890830, the Windows Malicious Software Removal Tool. I did not reboot but ran Windows Update again. Nothing else was found. Today, 11/10/2016, I read Krebs and saw that a patch mentions Windows 7 so I ran Windows Update again and got KB3197868. I went to KB data base but I could not find a release date. Why was KB3197868 not downloaded on 11/09/2016?

  13. Mike

    I applied the updates and my second hard drive disappeared on the restart! fortunately it reappeared after a second restart

  14. Patrick

    That is why i prefer use the Chrome. The option of select that’s contents go run is very useful. Ally to script safe and adblock, i think that does the navigation most safe. I’m right Brian?

    1. SeymourB

      The problem with Chrome is that it tells Google what you’re doing. They want their marketing metrics, and if you use their browser, you’re going to give it to them.

      I’m not saying the alternative is to run off and use IE or (blech) Edge, but just to pause a moment and figure out what you’re getting yourself into before jumping down the hole.

      You’re certainly taking good steps with running an ad blocker though. I don’t give a crap about ads, show me ads all you want… what I care about the large percentage of ads that are actually malware. Block all ads to keep out the malware seems like a rational choice to me; if they want to stop me from blocking their ads then do something about the malware. Once they’re gone they can pop up pop under pop over like crazy… I won’t go back once I see that stuff, but hey, at least its not infecting me.

  15. Oasis

    I got the KB3197868 & KB890830 on MS Tuesday and I noticed yesterday that there was an update available and thought nothing of it thinking it was a Windows defender update. Upon checking I noticed that it was another KB3197868 with a different date(11/09) I checked back and the updates from MS Tuesday installed
    (succeeded) and I let this update install just to see what would happen. It also installed fine. None of my other machines got this (extra)update. This one is W7x64 and the other 2 are W7x64 and W7x86.

  16. Jim

    I also use chrome, and there are setting you can use to not disclose. Which I use when on other systems. You just have to hunt them down.

  17. coakl

    Warning to those still on XP.
    I turned on automatic updates on an XP machine recently, but got no results, no updates offered at all. Not even the Malicious Software Removal Tool. But the svchost.dll kept consuming 50% of the CPU. Turning off automatic updates did not stop this 50% CPU pig. I had to turn it off and reboot to eliminate the useless CPU hog.

    I still have MS Office Compatibility pack SP3 and Word/Excel viewers, so I was sure there were updates. Those updates, as well as the Aug. 2016 edition of the MSRT, only came up when I manually went to the Windows Update site.

    This is just one more step to cutting off XP users: auto-updates don’t work, and MSRT isn’t being offered at all for XP. The creepy thing about it is the 50% CPU hogging. For all XP users still out there, turn off Automatic Updates…it ain’t worth a warm bucket of spit, but it still kills half of your CPU.

    1. Chris Pugson

      I have found that the situation varies from PC to PC so I guess that some corruption of the XP updating mechanism has taken place.

  18. Chris Pugson

    The Windows 7 update facility is now totally useless. It just runs and runs and runs and …

    It’s a good job that the rollup feature makes it possible to do without it.

  19. Raven

    I’m doing something wrong and it started with this rollout update. I can not get my November security patches. It say no updates available, but my history shows nothing was applied this month. Even Microsoft Essentials is not updating unless I pull it up myself. I am running Windows 7 and had my settings set for notify, but have changed it to automatic now. Still I get no updates available for me. Anyone have any ideas, Windows 7 is off support so I can’t ask them. I do have some hidden updates, if there is one I really need. Last month came in very late, 10/18, but at least I got them. Thanks for any help offered.

Comments are closed.