April 12, 2017

Adobe and Microsoft separately issued updates on Tuesday to fix a slew of security flaws in their products. Adobe patched dozens of holes in its Flash Player, Acrobat and Reader products. Microsoft pushed fixes to address dozens of vulnerabilities in Windows and related software.

brokenwindowsThe biggest change this month for Windows users and specifically for people responsible for maintaining lots of Windows machines is that Microsoft has replaced individual security bulletins for patches with a single “Security Update Guide.”

This change follows closely on the heels of a move by Microsoft to bar home users from selectively downloading specific updates and instead issuing all monthly updates as one big patch blob.

Microsoft’s claims that customers have been clamoring for this consolidated guide notwithstanding, many users are likely to be put off by the new format, which seems to require a great deal more clicking and searching than under the previous rubric. In any case, Microsoft has released a FAQ explaining what’s changed and what folks can expect under the new arrangement.

By my count, Microsoft’s patches this week address some 46 security vulnerabilities, including flaws in Internet Explorer, Microsoft Edge, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player.

At least two of the critical bugs fixed by Microsoft this month are already being exploited in active attacks, including a weakness in Microsoft Word that is showing up in attacks designed to spread the Dridex banking trojan.

Finally, a heads up for any Microsoft users still running Windows Vista: This month is slated to be the last that Vista will receive security updates. Vista was first released to consumers more than ten years ago — in January 2007 — so if you’re still using Vista it might be time to give a more modern OS a try (doesn’t have to be Windows…just saying).

As it is wont to do on Microsoft’s Patch Tuesday, Adobe pushed its own batch of security patches. The usual “critical” update for Flash Player fixes at least seven flaws. The newest version is v. 25.0.0.148 for Windows, Mac and Linux systems.

As loyal readers here no doubt already know, I dislike Flash because it’s full of security holes, is a favorite target of drive-by malware exploits, and isn’t really necessary to be left installed or turned on all the time anymore.

Hence, if you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Adobe also issued security fixes for its Photoshop, Adobe Reader and Acrobat software packages. The Reader/Acrobat updates address a whopping 47 security holes in these products, so if you’ve got either program installed please take a moment to update.

As ever, please leave a note in the comment section if you run into any difficulties downloading or installing any of these patches.


47 thoughts on “Critical Security Updates from Adobe, Microsoft

  1. IRS iTunes Card

    No problems so far with Security patches.

  2. JCitizen

    Thanks for the links Brian – I always rely on your reports to check my Adobe, and make sure it is updating. Apparently the auto updater worked this time too, because I already have the latest version 25.0.0.148.

    Supposedly Firefox will have its own embedded version with the next iteration in version 53.x, so hopefully I can at least dump NPAPI flash at that time. I’ve never needed it with Chrome’s embedded capability. I dumped PPAPI flash long ago.

    1. JoaquinTall

      JCitizen,

      Thanks for the tip! Those of us who reside in the senior living facility, use Firefox exclusively. We play the games on the AARP website, which, rely upon Adobe Flash.

      We miss playing the games, because we deleted Flash and refuse to download the patches, for all the reasons mentioned by Brian and others, here in previous blogs.

      JCitizen, will the Firefox version of Flash “enable” us to resume the games; if you know?

      Many thanks for taking the time to respond!

      Thank you too, Brian, for the most enlightening flow of tech information…regrettably, most—not all—of which goes over our heads.

      1. Willem

        A less radical alternative would be to simply set Flash player to click-to-play and only enable it when needed. This makes drive-by download attacks far less likely will still offering Flash’ full functionality if needed.

        You can set a plugin as click-to-play by going to Firefox’ add-ons manager (Ctrl+Shift+A), choosing Plug-ins to the left, and then in the Drop-down menu for Flash select “Ask to Activate”.

        Mozilla Support also has an article about this.

      1. EstherD

        Never got the reference I requested. Thread seems moribund, but for the sake of completeness…

        Firefox 53 was released today. NO mention of an “embedded version” of Flash in the release notes:
        https://www.mozilla.org/en-US/firefox/53.0/releasenotes/

        What IS mentioned is this:
        “Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor)”

        Perhaps the source of confusion is the confounding of “Flash video” and “graphics” ?

  3. Cameochi

    Yesterday, Microsoft rant KB4018483 to update Adobe Flash Player. Instead, it installed McAfee Live on my computer. I use Kaspersky which was not amused and immediately removed it. There was no option to prevent this from happening and Flash Player was not installed.

    This morning I used the Flash page Brian posted which allowed me to prevent McAfee and an Intel program from installing so I was able to do a clean install.

    This is not a new issue and I cannot understand why Microsoft update would do such a poor job but then Microsoft is not what they used to be. Sad to say.

    1. Robert

      I am skeptical that Microsoft KB4018483 would install Mcafee Live. I have installed the update on three PC’s and did not encounter this behavior. You say this is not a new issue yet I can not find widespread or even minimal mention of the problem on the various Windows related sites.

        1. Jim

          They are right, it will install McAfee. There is a check box that loads slow. So, if you fast click the download button prior to the unclick, you get macafee… Just give it that moment for the page to fully set. Then unchecked the box.

  4. Erik

    Hope this batch is better than the last two, which introduced serious problems for us on both servers (event logging) and workstations (Excel instability). I understand why Microsoft wants to bundle patches together, but the fact is that their QA process for patches is nowhere near good enough to support this practice. They’re not even close to the point of being able to discuss being close. They need to return to delivering them separately, and then possibly aggregating them three or four months down the road once they’ve been reasonably debugged.

  5. Kevin

    I really like Brian’s suggestion to use Sumatra instead of Acrobat Reader. Works very nicely.

    1. George G

      I use Foxit Reader instead and am very happy with it.
      You can even fill out a “non-fillable” PDF document, although that takes a little carefulness.

  6. Nitupercas

    Is it Groundhog Day, i e have I read this title before ??

    1. Gnecht

      That title probably has its own single key on Mr. Krebs’ keyboard.

  7. J.A.

    “Chrome and IE should auto-install the latest Flash version on browser restart”

    Shouldn’t that be Chrome and Edge should auto-install the latest Flash version on browser restart?

    1. J.A.

      And thanks Mr. Krebs! Always learn something reading your site.

    1. Jean R Marseille

      How to Guess Credit Card Number and Security Code in Just Six Seconds
      Criminals can guess your Visa credit or debit card number, expiry date, and its security code in just six seconds, researchers have warned. Experts at the Newcastle University, UK have claimed that it is “frighteningly easy” to compromise Visa’s credit card system online. It could take criminal hackers “as little as six seconds” using guesswork, with access to a laptop and an internet connection. Distributed Guessing Attack, the attack method identified by Newcastle researchers was possibly also used in the recent Tesco Bank heist, where the bank lost £2.5 million.
      Only Visa cards are susceptible to the security flaw
      In a clever brute force attack, researchers figured out that if you made the guesses for the card’s security number from a number of different websites, the card’s security system wasn’t triggered. The process involves guessing and testing hundreds of permutations of expiry dates and CVV numbers on hundreds of different sites to avoid triggering fraud protection measures.Researchers have outlined the method in IEEE Security & Privacy paper, that confirms that this hacking method doesn’t even require any sophisticated level of hacking knowledge or equipment, as it only takes a laptop and a connection to the internet.
      MasterCard credit and debit cards aren’t vulnerable to this security exploit, as they track this same attack method when an attacker tries to guess across different websites. The payment system is designed to shut down cards after 10 attempts or fewer, researchers added. To prevent the attack, either standardization or centralization can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardization nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.
      Visa, however, isn’t designed to take account of multiple websites. As shown in the video at the end of this post, an attacker can easily compile the gathered information to bombard multiple vendors’ sites, trying out different combinations of card number, CVV, and expiration code, easily dodging individual site limits and avoid detection of fraudulent activity.

  8. BaliRob

    I have always liked Adobe Reader in the past is was excellent. But, recently, it fails to open EVERYTHING
    I submit to it – anybody know why?

    I have been off Flash for a number of years but many
    banks using the new http security are demanding
    that their customers use it in conjunction with the
    new security.

    Please explain someone.

    1. Erik

      Well, the brianiacs at NIST finally figured out that “security questions” are an asinine way to “secure” an account last year, and so the banks are looking for something to replace that particular brand of stupid with.

      What’s worse is banks like American Express putting third-party ads on their sites – nothing like a bit of malvertising to go with your login credentials, amirite?

  9. columbus_via LA

    Running Windows 7-64b. IE 11 installed (I thought) but rarely used. I update Flash for it every time anyway, including last month.

    Today, I tried opening IE 11 and found it gone. Poof. Vanished. The window frame that comes up shows only “Internet Explorer (not responding)” and then closes.

    I was able to install the latest Flash on Firefox, my default browser. Per my cautionary routine, I am waiting till Friday to install the latest Windows updates, to make sure they’re not causing any problems.

    The .exe file is still there in my programs directory, but does not open the program. The program is nowhere to be seen on my Control Panel now. Anyone know why my IE 11 just suddenly vanished?

    1. Jim

      Ms stopped supporting explorer and changed over to edge or something like that.

  10. Steve

    “Running Windows 7-64b. IE 11 installed (I thought) but rarely used. I update Flash for it every time anyway, including last month.”

    Ditto on all of that. But I just tried it and had no problems at all. No idea what happened to yours.

    1. columbus_via LA

      Finally solved the mystery. For some reason, EMET “simexecflow” mitigation was kicking in, and preventing IE 11 from starting at every attempt. I went into EMET and disabled that particular mitigation for IE. After that, IE started normally. One source I read said that disabling that particular mitigation for a program was safe as long as EMET was always blocking the program from starting. If EMET was blocking it only sometimes, the simexecflow mitigation should be left enabled.

  11. Sasparilla

    Microsoft Windows 7 & 8 April 2017 Security Only Updates – you need to use I.E. from an admin account to get the download to work properly from Microsoft’s website (probably by design) via their browser – other browsers will not work.

    Windows 7 April 2017 Security Only Update Description: https://support.microsoft.com/en-us/help/4015546/windows-7-windows-server-2008-r2-sp1-update-kb4015546

    Download site for update: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4015546

    Windows 8 April 2017 Security Only Update Description: https://support.microsoft.com/en-us/help/4015547/windows-8-1-windows-server-2012-r2-update-kb4015547

    Download site for update: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4015547

  12. another Jim

    I have been using ubuntu on an old laptop. I used unbuntu 12,14,and now 16 on varous desktops and laptops. For most uses, it is a great replacement for windows. I keep a legacy Windows 7 machine for office applications, but it looks like it will be going to unbuntu and open office soon.
    I recently tried to install unbuntu on a newer windows 10 laptop. It would not load the install from a flash drive. I went to the bios to change the boot order, and discovered that boot order was controlled by an outside program called windows boot order controller or manager or something. Forcing an install of unbuntu with a full disk format would likely remove the windows boot order controller and brick the computer.
    I suppose that flashing on a new bios that is clean and does not require an external windows program would work, butI was not sure hoaw to go about finding a clean bios. I decided it was simpler to not buy the laptop.
    Windows hates competition, and wants to lock in their spy ware OS and applications. Fight for freedom from the dark lord of Redmond.

    1. Sasparilla

      I remember reading that this was something that was coming (BIOS that would require Windows….so Microsoft). Would not be suprised if the hardware vendor got a discount on their Windows license for using it. Who was the vendor?

      I’d just make sure any laptop you get comes preloaded with Linux and you’re good. I know Dell has an XPS that way and there are alot of smaller vendors that will get you there.

    2. jack

      Had the same problem reverting laptop from ms 10 to ms 7 for my wife. I finally brought a new copy of MS 7 and just completely reformatted hard drive to install it. I will stick to my ubuntu!

  13. shing

    Hey Mr Krebs,

    I don’t know if you have any pull with the people at M$ but their new update notification system is a steaming pile of poo. I used to be able to tell from looking at the summaries if an update was currently being exploited or not. Now I have to click into each and every CVE. Additionally one of the exploits currently being exploited is listed as “important.” One would think that would be “critical”…. But hey what do I know I’m just a system admin and not some programmer at Microsoft.
    Anyway if you can ask for extra columns for exploitation if you know anyone over there that would be great.

  14. Ryan

    My update has been taking 45 minutes so far. Stuck on the Bloons screen saying getting Windows ready don’t turn off your computer but nothing is happening. Is this normal?

  15. Tony Pelliccio

    And then there’s Oracle and Java. And vendors like EMC who insist on using ancient ass 32 bit java. To the point where we must have XP boxen as VM that never get updated so we can connect to the blasted EMC products.

  16. JoefromKokomo

    My SONY VIAO laptop, running Windows 7 Pro, which had been unplugged for a few weeks of non-use, did not digest this “forced” Windows update well, and seems to be hung. About 30 minutes so far. Not happy.

    My daughter, also running Windows 7 Pro on her newer Toshiba laptop, launched it instead, since mine was hung in updating (at least that is what we presume since it started at log on and we never got past the Welcome screen), and her laptop was working fine, she was recording a song with our TASCAM Portastudio, when it decided that it was time to run the Windows update, and now it is also stuck in update mode.

    NOT HAPPY CAMPERS. The problem we are experiencing is that both of these laptops are configured so that updates do not launch automatically. That is, the setting that requires the user to allow updates to run is set, but apparently these new patches ignore that setting? Can anyone confirm this or advise if it really takes 30-45 minutes for these updates to complete?

    Argh.

  17. George G

    Vista is still getting an update??

    I have Vista on my older laptop.
    For almost a year now if I went to search for Windows updates it would just keep searching for hours on with no end in sight.

    1. coakl

      April 2017 is the last month with Vista updates. After April, you can turn off Windows Update for good. As a bonus, your machine will run better and boot faster, without all the update scanning hammering your hard drive.

  18. Dunbar Pappy

    Brian;
    Today I visited your site for the first time in 5 years, and was almost shocked (but not entirely) to see almost the exact topics regarding updates for Windows (et al) that I was seeing years ago.
    This reminded me of why (on Brian’s recommendation) I stopped using Windows for Internet work, and switched to a dedicated Linux OS.
    The incessant Windows updating had become so worrisome and time consuming that it was all I was doing…every damn day.
    For those who can’t grasp the relative technical aspects involved; or have grown entirely despondent about the Windows threat landscape counter-measures, words can not describe the Nirvana you attain making this move.
    While not entirely malware free, using Linux will free you from the iron-fisted Microsoft tyranny that so many have accepted as their fate.
    I apologize for not having the link to those Linux articles, but maybe Brian could revitalize his readers interest in migrating their on-line tasks to the Linux OS.

  19. Bill Zardus

    Problem with Comcast remote controls ?

    Has anyone else had a problem with your Comcast
    remote control and had to return it to the Comcast store ?

    This has happened to us twice in less than a year and
    the second time was recently.

    We have to drive about 8 miles to get a new remote
    and when we got there someone from Comcast
    was standing at the entrance to hand out remotes
    and accept the ones that were defective.

    http://www.geekwire.com/2015/xfinitys-new-x1-remote-follows-amazons-approach-to-voice-controls/
    This story was published when they were new
    BY TODD BISHOP on May 5, 2015 at 9:14 am

    This made me think there must be a problem with these
    remotes or they wouldn’t have someone standing at the
    door waiting for people to return them.

    This is very annoying, so I have 2 extra ones now
    in case this happens again before I cancel Comcast.

    —————-

    Also …. Do you happen to know what database Comcast uses
    to give viewers the Movie and actor history when you hit the
    “Info” button while watching a movie? The reason I ask is because
    it is terrible compared to the database that TIVO uses.

    Best Regards

    Bill Zardus
    Folsom, PA
    (metro-Philadelphia)

  20. Matt W

    I suspect a lot of these are CIA zero days getting repaired…

  21. coakl

    Safest way to use Flash, is the built-in “Pepper” Flash in Chrome. Chrome’s sandbox isolates Flash content.
    And use the Content part of Advanced Settings to keep Flash off until I need it.
    Chrome’s auto-update of Flash isn’t ASAP; there is a delay of a few days after a Flash version release. Last night, I had to use chrome : / / components URL, to force the update.

    I don’t install the Flash plug-in that Firefox and I.E. uses, so I don’t have to worry about updating them.

  22. KFritz

    If anyone’s still checking these comments….

    Per my usual procedure, I downloaded the designated updates from the ‘Windows Update Caltalog’ and waited one week after ‘update tuesday’ (to see if major horror stories appear) before installation.

    I have Windows 7 x 64 HP proprietary partitioned off from Ubuntu 16.04 LTS. (Never, ever install an HP proprietary version. You’ve been warned!) I use Windows in a visitor account, with a separate administrative account, as per BK’s long ago advice.

    Two items of interest occurred. None of the .NET updates designated for 7 x 64 would install, possibly because of some HP proprietary issue/configuration (previous .NET updates from the ‘Catalog’ had installed smoothly). Also, for certain programs (ex Firefox), if they’re the first program opened, a small window requesting that I log on as administrator to make (unrequested) changes appears. If I shut the small request window, everything functions well, no problem, but there’s nothing to like about the window’s appearance.

  23. Eaglewerks

    Windows 10 users running the Creators Update are receiving the cumulative update 15063.138 today. Please note that the same build is also rolling out on mobile for Fast and Slow Ring Insiders.

  24. Brian Thomas

    I’ll share this here. Someone gave me a laptop which had been off for several years and all those *years* of win updates were missing.
    I started the update, and waited, and waited. After 12 hours with no obvious sign of progress, I stopped the update, rebooted (again), and let it run overnight, thinking it will recover sooner or later. After another 24 hours and still no sign of progress, I gave up, went searching for alternate solutions. Glad I did.
    wsusoffline update is a godsend.
    Run the generator to build a repo for any win7,8,10 system, incl things like Silverlight, VC redistribs, Office patches, etc. on a usb drive, network share, burn iso…many options.
    Take it to any machine and run the installer. After 4 hours, that old laptop fixed itself, with auto reboot and restart enabled 😉 Windows Update is disabled on all my win systems now and I use w.o.u. exclusively. Rarely do I praise any software, w.o.u. gets 5 stars. I use it extensively for all my VM’s now.
    Finally I can download the updates once (without the wsus fiasco in small environments for every language, despite selecting only english) and run it everywhere, portably from usb drives and n/w shares. Finally…

Comments are closed.