March 14, 2017

Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software.

brokenwindowsMicrosoft’s patch to fix at least five critical bugs in the Windows file-sharing service is bound to make a great deal of companies nervous before they get around to deploying this week’s patches. Most organizations block internal file-sharing networks from talking directly to their Internet-facing networks, but these flaws could be exploited by a malicious computer worm to spread very quickly once inside an organization with a great many unpatched Windows systems.

Another critical patch (MS17-013) covers a slew of dangerous vulnerabilities in the way Windows handles certain image files. Malware or miscreants could exploit the flaws to foist malicious software without any action on the part the user, aside from perhaps just browsing to a hacked or booby-trapped Web site.

According to a blog post at the SANS Internet Storm Center, the image-handling flaw is one of six bulletins Microsoft released today which include vulnerabilities that have either already been made public or that are already being exploited. Several of these are in Internet Explorer (CVE 2017-0008/MS17-006) and/or Microsoft Edge (CVE-2017-0037/MS17-007).

For a more in-depth look at today’s updates from Microsoft, check out this post from security vendor Qualys.

And as per usual, Adobe used Patch Tuesday as an occasion to release updates for its Flash Player software. The latest update brings Flash to v. for Windows, Mac and Linux users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

brokenflash-aThe smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Finally, Adobe also issued a patch for its Shockwave Player, which is another program you should probably ditch if you don’t have a specific need for it. The long and short of it is that Shockwave often contains the same exploitable Flash bugs but doesn’t get patched anywhere near as often as Flash. Please read Why You Should Ditch Adobe Shockwave if you have any doubts on this front.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

26 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. IRS iTunes Card (real)

    Having issues with my Windows 8.1. pro laptop and the March security roll up, will not install correctly

    ” Damn Microsoft to hell”

  2. JimV

    Another reason to ditch Shockwave is that Adobe won’t allow you to even download the update executable file if you’re using a 64-bit browser, as it automatically redirects you to a webpage that “recommends” you install and utilize a 32-bit browser because Shockwave won’t run properly on the 64-bit versions. There are some other statements about how there is no 64-bit version of Shockwave, implying strongly that there won’t ever be one.

    So, it’s now gone for good from my systems — Adobe seems to have an institutional mindset of really poor-quality brick…

  3. sad panda

    To install these microsoft patches, you simply need to load up windows update and click “check for updates”, right?

    1. JCitizen

      It should – I noticed this time Adobe would not auto update until the Microsoft patches were downloaded. This is the first time in the last five updates that flash has not simply auto updated seamlessly without incident.

  4. Knott Kneeded

    I solved all my Windows problems. I switched to Apple.

    1. Tom R

      I never had a single Windows problem that I couldn’t fix by simply loading a back-up image and restarting the PC. Being smarter than your OS goes a long way. By all means stay with Apple. Those systems were specifically designed with the technically incompetent in mind.

      1. Erik

        That’s neither terribly nice nor terribly bright. I’ve been working in IT for 30 years and I’m reasonably close to the top of my field. I use Apple products because to me my computer is just a tool for getting things done – nothing more, nothing less. I spend considerably less time having to maintain my tools with Apple products than I did with Microsoft products. I also ran Linux as my primary machine for a few years, and in terms of overall maintenance it was worse than Windows (very nice on a day-to-day basis, but when problems did occur they were monsters). Apple is pretty much the day-to-day reliability of Linux with none of the downsides other than price. When factoring in the value of my time, I consider their products to be a bargain.

        1. TreFunny

          to be fair, any IT professional probably needs access to all 3 system types at some point (Apple, Microsoft, and pick your flavor of Linux)

          That said as a Sys Admin I use a Macbook with all of them loaded in VMs running OSX as the host OS.

          Dont hate any particular OS, they all have Pros and Cons… none of which are considered better than the other.

      2. bob

        “simply loading a back-up image and restarting the PC”? That’s my first LOL of the day. Had you considered switching to an OS that works?

    2. Youssa

      Really? That comment belongs on/r/iamverysmart, there’s really no need to pull out your john for measurements. Everyone is different and I know quite a few technically savvy individuals that prefer apple products over Windows/Linux.

      Y’all take care.

  5. A B

    Microsoft also released updates for its Mac OS products today.

  6. Pervert™

    Without Flash installed, how is one supposed to watch Internet porn? 😉

    Seriously… is “HTML5 video” really that ubiquitous on such sites?

    1. NSA

      By going to the Opera (seriously), and run it in Sandboxie.

    2. timeless

      As a general rule, that industry tends to be on the leading edge. C.f. VHS.

  7. Jim

    About, Apple, remember, outdated slower hardware, usually a year behind what is available to public gamers. To update your system, you have to choose only Apple hardware, with my win system, if a piece of hardware goes bad, I can take it to any repairer. Not to a special repairer, who sends the unit to a repair facility. Or, I can repair it myself. With locally available, budget friendly parts.

  8. Sasparilla

    For those wanting just the security only update for Windows 7 & 8 for March (cause Microsoft backported the user monitoring functionality from Windows 10 into 7 & 8.1 via non security updates) here you go.

    Remember to work I’ve found you have to use I.E. and from an Admin login for their site download to work correctly…so nice Microsoft make it as much of a pain as possible). Good luck all.

    There is also now a separate I.E. security only update that it applies to Vista and higher (hadn’t seen that before….only Microsoft knows why its separate since I.E. is integrated into the OS) :

    March 2017 Security Only Windows 7:

    March 2017 Windows 8.1 Security Only Update:

    1. Sasparilla

      Only Microsoft, the I.E. only update looks like it should be there for Windows 7 and 8.1, talks about it on the source web page, but is not on the download page…screwup on Microsoft’s part probably.

      Here’s the Microsoft page saying why we need this:

      The download page only shows Vista and Server 2008 & won’t install on 7 or 8.1.

      Digging around I found a source and download page that should work for the separate I.E. download, here is the source page (same update number):

      It links to a separate download page for the I.E. only download (careful they have different I.E. versions listed here choose the correct one, 11 being the latest):

      Good luck folks….

  9. Bob Perrin

    Thanks for the notice about Flash Player. I am running win 10 (1607) build 14393.953, and Firefox 52.0 (64-bit). Usually, To check that my extensions and plugins are up-to-date, I can select “Tools>Add-ons”, click on the gear icon and select “check for updates”. In the past, this has usually caught the out-of-date Flash Player but, for some reason, this time it did not.

  10. Mike

    Ah, the things i’ve watch change over the years thanks to my dad educating me according to his full-breadth education, early and late. It didn’t make me smarter much, but it did allow me to see where things come from and how (badly?) they change.

  11. SBartsch

    Thanks for the notice (otherwise I might have forgotten to update my only left Windows installation…).

  12. KFritz

    I’m using the Microsoft Update Catalog for my HP Windows 7 business desktop. I ran down the list of individual updates included in the March “Security Only Quality Update.” Several of the individual updates are described as unnecessary for Windows 7. Since October, I’ve been installing the entire “Security Only” package, seemingly without a problem. What happens to the unnecessary items: do they sit inertly in the machine and do nothing or can they wreak havoc?

    Also, the lists of drivers which appear further down the list of updates seem to overlap. The final message from Redmond about them is, “Driver Information: Coming Soon
    Thank you for using Windows Update. The More information feature is not available yet. We apologize for any inconvenience.about these drivers.” Way to go, Microsoft.

  13. Grey Peterson

    What I like to do in Firefox is set the Adobe Flash Plug-in to ask to be activated, so I can pretty much chose when it runs on a per-website or as-needed basis. Thankfully I don’t need it often since so many websites are wising up and moving on to HTML5.

Comments are closed.