19
Feb 17

February Updates from Adobe, Microsoft

A handful of readers have inquired as to the whereabouts of Microsoft‘s usual monthly patches for Windows and related software. Microsoft opted to delay releasing any updates until next month, even though there is a zero-day vulnerability in Windows going around. However, Adobe did push out updates this week as per usual to fix critical issues in its Flash Player software.

brokenwindowsIn a brief statement this week, Microsoft said it “discovered a last minute issue that could impact some customers” that was not resolved in time for Patch Tuesday, which normally falls on the second Tuesday of each month. In an update to that advisory posted on Wednesday, Microsoft said it would deliver February’s batch of patches as part of the next regularly-scheduled Patch Tuesday, which falls on March 14, 2017.

On Feb. 2, the CERT Coordination Center at Carnegie Mellon University warned that an unpatched bug in a core file-sharing component of Windows (SMB) could let attackers crash Windows 8.1, and Windows 10 systems, as well as server equivalents of those platforms. CERT warned that exploit code for the flaw was already available online.

The updates from Adobe fix at least 13 vulnerabilities in versions of Flash Player for Windows, Mac, ChromeOS and Linux systems. Adobe said it is not aware of any exploits in the wild for any of the 13 flaws fixed in this update.

The latest update brings Flash to v. 24.0.0.221. The update is rated “critical” for all OSes except Linux; critical flaws can be exploited to compromise a vulnerable system through no action on the part of the user, aside from perhaps browsing to a malicious or hacked Web site.

Flash has long been a risky program to leave plugged into the browser. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

brokenflash-aThe smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep and update Flash, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Tags: , , , ,

44 comments

  1. For those of us that still have to use Adobe flash, the auto updater has been working better and better; I checked the version number Brian had in the article and it was already updated. At least Adobe seems to be getting it together – now if we can get Microsoft back on schedule! 🙁

  2. Remarkable that updates should be withheld when there are known issues. Some say that Microsoft possibly has infrastructure problems.

    Being a user of MalwareBytes Anti-Exploit Premium is fairly reassuring.

    • Does EMET work well in Win 8.1 or Win 10? You get better coverage that way, instead of just the browser – I do have to give Malware bytes credit though.

      • Yes, EMET 5.5 is compatible with W10 & downward to Vista. As to its effectiveness in securing a system against these types of threats…not sure. However, it is another layer of defense I use with W10 to routinely to guard against unknown threats in addition to other methods. So far, no issues that I’ve experienced.

    • MBAE won’t help in this case though, as the bug is in Windows’ SMB system for sharing folders across the network.

      So, although I still think Microsoft should’ve released a patch for this issue, I admit de impact is limited:

      1. A malicious user on your local network could crash your computers (but not infect them) or:
      2. For some reason, you’ve made your shared folders available to the internet. In this case, anyone in the world could crash your computer. But in this case, you’ll likely have bigger things to worry than that.

  3. KB2952664 reappeared briefly as an optional Windows update on 9 Feb 2017.

    “reappeared”: my notes remind me that KB2952664 was the first of many “updates” Microsoft offered starting in 2015 that installed “Get Windows 10” nagware.

    MS’s blurb for New! Improved! KB2952664: “This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate compatibility on the Windows ecosystem and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.”

    “GWX” = “Get Windows 10”. The blurb’s closing sentence suggests MS belatedly gained awareness of some customers’ views of its use of the update channel as a marketing tool.

    “briefly”: KB2952664 disappeared from the Microsoft updates offered to me on Tues 14 Feb 2017. Unknown (to me) whether this appearance / disappearance is related to what Brian reports. (BTW — Thanks, Brian, for continuing this topic.)

    “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”

    My questions: Did anyone install the New! Improved! KB2952664? Any comments? If it reappears yet again, for otherwise up-to-date versions of Windows 7, does installing KB2952664 offer any benefit to the user?

    • They removed the GWX components because Microsoft no longer gives 10 away for free.

      So rather than gaining some humility, they’re just attempting to gain a new revenue stream – people silly enough to upgrade to 10 after the free upgrade period expired.

      I imagine the update is probably safe to install provided you don’t mind taking part in the CEIP. Personally I don’t beta test for free, but that’s just me…

      • Thanks for your comment. You’ve confirmed my guesses.

        FWIW, KB2952664 was back on my optional update menu this evening (21 Feb 2017). I hid it, but I know: it’s likely to rise yet again from the un-dead.

  4. IRS iTUNE cards (real)

    Easy month with security patches, the calm before the storm in February.

  5. Hi there. I was under the impression that Windows 10 has an ’embedded’ version of Flash i.e. one that we cannot update from the Adobe website. Am I right, please? PS yes, Flash is a real PITA.

    • Yes, MS took over the responsibility for patching Flash in IE for W8.1/10 a few years ago.

      • So doesn’t that mean that Edge users will be running a vulnerable version of Flash for another month?

        http://www.adobe.com/software/flash/about

        You have version 23,0,0,205 installed.

        The same page says I should be on 24.0.0.221 to be patched. Chrome, of course, is current.

        • I went in to Edge under “Settings” > “Advanced” and temporarily toggled Flash off. No need to contend with any added exposure if I don’t need to use Flash.

          • FYI – Just checked and Flash on W10 Edge was updated to 24.0.0.221 this evening on my systems as of 2/21/2017.

      • Quite irritatingly, the version of Flash embedded within Windows 10 is of the ActiveX flavor (PPAPI) and cannot be updated manually as the non-AX flavor (NPAPI) can if you’ve installed it for Firefox, nor has anything been provided to update it yet by the internal OS process — and apparently won’t be made available for another month until the March patch is released.

        Thanks, MS…

    • The Chrome Web browser also has embedded Flash that Google updates. Running Flash apps is the only thing I use the Chrome browser for. I don’t have anything from Adobe (or Oracle) installed on any machine.

  6. Those of us that run a “proper” operating system (Linux) are not beholden to Microsoft and patch Tuesdays – posted by someone who used to support MS DOS 2.0 !! 🙂 41 years in I.T. now

    • Proper operating system indeed! I migrated all our computers to Linux (Ubuntu) when Win10 came out. Updates are a piece of cake. Never an issue – never a crash.

    • As someone who supports multiple Linux systems you and I both know those vendors issue their patches haphazardly without regard to any schedule. Even Red Hat Enterprise Linux just pops them out at their pleasure. Fully patched today, but maybe not tomorrow. Fully patched in test and applications validated? Oops, a new kernel version was just released. Start over. What’s that you say? You had other plans on your sehedule? Too bad. It’s a critical.

    • While not a desktop o/s, the venerable VMS (or OpenVMS if you prefer) systems also do not march to the tune of any patch tuesday. To paraphrase a line from “The Treasure of the Sierra Madre:” Patches!? We don’t need no stickin’ patches!!

      • Unfortunately, VMS is on life support. It hasn’t gotten new features for years and none of the DEC VMS engineers are left at HP. There is only some sustaining engineering support in India, if I remember correctly. I’ve forgotten when HP is going to completely drop support. I’d like to see it open-sourced, but among other issues, there is 3rd party licensed code in there and trying to get that released is probably next to impossible.
        It’s hard to believe it’s been 20+ years since I left DEC.

  7. I’m skeptical of their explanation. No one with an operation as long-running as this should ever find a “last minute” problem. Microsoft certainly isn’t the fastest company on the block in fixing critical issues so this is very odd indeed. If it only affected “some customers”, block them from receiving the updates and let everyone else have them.

    Unless, of course, “some customers” really means “every Microsoft customer who has Windows installed and fortunately there are a few who don’t otherwise we’d have to say “all customers””.

    But no patches at all? Not the security one, not the Windows one, nothing?

    Worst case is this is Juniper all over again where they were about to push out backdoored updates or they found they already have.

    This screwed up our process for installing and testing Microsoft patches. The upside is that the people dedicated to manually testing our niche applications suddenly have a few days free on their calendar this month. 🙂

    • This is what happens when you change your patch process so that everything is just a monthly blob of combined patches (not install-able by themselves anymore because we want it that because they want to force people to install the non security updates ala Windows 10) and one of the pieces has a bug they noticed at the last minute.

      Presumably they could just drop the bad patch out of the blob and send out what they had (maybe a few days late)…but they just delay everything a month – seems crazy…

      • If you can disable automatic updates and use the Microsoft Update Catalog, the .NET updates are a separate download, and, thus, can be installed separately. A small mercy.

  8. Thanks for the update, I was wondering what was going on with Windows…!

  9. Microsoft is planning to release the update for the flash player on Tuesday, February 21, 2017 for the operating systems Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

    • Know what time of day it will be released? It’s now afternoon in Redmond, and there’s nothing yet available.

    • Nothing yet for Flash Player on W8.1

      • Got an e-mail notice from MS for the availability of the updates time-stamped about 5:30 CT, so the Flash patch for all the affected OS flavors is now out.

        • This month’s MRT (malicious software removal tool) apparently was released overnight, and can be downloaded through Windows Update on all OS systems.

          • Good grief. Sending positive thoughts your way. Is there a bigger, better hospital anywhere nearby? Can you safely travel to it, if so? Send us an update as soon as you can. Hoping all is we3&8#l2l0;.

  10. You can manually force Chrome to update – courtesy of Michael Horowitz
    chrome://components
    in the browser bar and make sure all the components are updated – Google Chrome is the way to go in my opinion. Windows 7 Professional 64 bit user here and able to update Adobe Flash manually without an issue. The SMB 3.x does not affect me since it was introduced with Windows 8.x so it affects those lines. This may make Windows 7 Professional usage jump in the March 1 stats for February 2017. I await those stats with interest.
    http://computerworld.com/article/3170155/internet/how-to-immediately-update-flash-in-chrome.html
    Information submitted to Microsoft in September 2016 and vulnerability made public recently – will not be patched until March 14, 2017 so protect your networks as best as possible until that time.
    https://www.kb.cert.org/vuls/id/867968

  11. Come on … let’s get into the real fun … what’s the speculation on what is really going on …

    What’s going to cause, “discovered a last minute issue that could impact some customers”? An “issue” that prevent Microsoft from releasing all updates, all OS versions, all application … ALL UPDATES? Let’s start the speculation ball rolling …

    Sounds like Microsoft’s patch deployment environment was hacked.

  12. What’s the build for the current version of Chrome for Windows 10? Mine is showing 56.0.2924.87, but I don’t remember updating it, it hasn’t updated, and Flash is showing the plug-in for Chrome being behind.

  13. I guess Microsoft’s statement that Windows 10 is more secure than Windows 7 now looks more difficult to justify when you simply can’t update the flash component of IE and Edge. A Win 7 computer with Chrome and EMET looks even better than before…

  14. So, flash player can’t be update with Edge browser? Says updates are applied automatically but the version is older than the newest one.

  15. Short month guys.

    no time, no time. . .

  16. Has it occurred to anyone else that part of the problem is understaffing to get those quarterly profits looking good? Plus to make up for the visionary acquisition of Nokia’s cellphone unit?

  17. windows just did a update for windows mal update for Feb 2017 . hope you all got it.

  18. Just know why I personally stuck with Linux but Adobe still is a mess 😉

    Greetings from Germany,
    Sebastian Bartsch

  19. According to Slashdot:

    94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights
    https://tech.slashdot.org/story/17/02/26/1047257/94-of-microsoft-vulnerabilities-can-be-mitigated-by-turning-off-admin-rights?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

    In the same article, they are saying Windows 10 has more vulnerabilities than any other OS. That is a pretty bold statement considering that everyone seems to be so down on Windows XP for the same reason. Ya know, there can be only one #1.

    Now before anyone starts saying that this is why Apple is so much more secure than Windows…..well that isn’t what this means at all. The only thing that meakes the iPhone secure is the initial sequence of numbers it takes to log into it. That is the hieght of ALL their security. Once logged in, it essentially has the same issue. The iPhone might live in a structured environment but you can still get infected (this has been proven). It’s all the same thing with iPads and various other smartphones and tablets.

    Personally, I prefer Linux to all of it. But Linux does have issues too.

    Take these updates and patches with a grain of salt. What will often keep you safe is what you DON’T do.