May 9, 2017

Adobe and Microsoft both issued updates today to fix critical security vulnerabilities in their software. Microsoft actually released an emergency update on Monday just hours ahead of today’s regularly scheduled “Patch Tuesday” (the 2nd Tuesday of each month) to fix a dangerous flaw present in most of Microsoft’s anti-malware technology that’s being called the worst Windows bug in recent memory. Separately, Adobe has a new version of its Flash Player software available that squashes at least seven nasty bugs.

crackedwinLast week, Google security researchers Natalie Silvanovich and Tavis Ormandy reported to Microsoft a flaw in its Malware Protection Engine, a technology that exists in most of Redmond’s malware protection offerings — including Microsoft Forefront, Microsoft Security Essentials and Windows Defender. Rather than worry about their malicious software making it past Microsoft’s anti-malware technology, attackers could simply exploit this flaw to run their malware automatically once their suspicious file is scanned.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft warned. “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned.”

On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.

“Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos.” Google’s Ormandy tweeted on Monday. “Amazing.”

In addition to the anti-malware product update, Microsoft today released fixes for dangerous security flaws in a range of products, from Internet Explorer and Edge to Windows, Microsoft Office, .NET, and of course Adobe Flash Player.

brokenflash-aThe latest Flash Player, v. 25.0.0.171 for Windows, Mac, Linux and Chrome OS, is available from this link. Adobe’s advisory for this update is here. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware, and failing to keep up with its continuous security updates can leave users dangerously exposed. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.


29 thoughts on “Emergency Fix for Windows Anti-Malware Flaw Leads May’s Patch Tuesday

  1. Bread

    Why didn’t you mention that Natalie Silvanovich was part of duo that reported this issue to Microsoft? We can do better for our sisters behind the keyboard.

    1. AJA

      “Last week, Google security researchers Natalie Silvanovich and Tavis Ormandy reported to Microsoft a flaw in its Malware Protection Engine, a technology that exists in most of Redmond’s malware protection offerings…”

  2. Sasparilla

    For those wanting security only updates for their Windows 7 or 8 machines…

    Windows 7 Security only:

    https://support.microsoft.com/sw-ke/help/4019263/windows-7-update-kb4019263

    Windows 8.1 Security only:

    https://support.microsoft.com/en-us/help/4019213/windows-8-update-kb4019213

    Don’t forget the I.E. update that is separate:

    https://support.microsoft.com/en-us/help/4018271/cumulative-security-update-for-internet-explorer-may-9-2017

    I’ve had to use I.E. via an admin account saving the patches locally to be successful in the past, but your mileage may vary (Microsoft might improve this someday).

    1. Dave

      Thanks for that. For my main work machine the March update was a toxic update, bluescreen-reboot loop when it’s applied (so I’m getting that Windows 10 toxic-update experience even though I’m not on Windows 10), and thanks to Microsoft turning all updates into one giant blob there’s no way to avoid the toxic portion. This meant I’d never be able to update again, because I’d always get the toxic portion that killed my system. Being able to grab just the security updates at least means I can stay partly patched.

      1. TreFunny

        The March update also messed up several of my Hyper-V VMs…

        after install the System process thread count would keep rising through the day from 200 to 15,000+ threads and crash the server. It didn’t rear its head until i installed the April updates, then I had to go back and remove both months of security updates… it puts you in a hard place when MS is incompetent and you can’t rely on the updates not breaking X, Y, Z… but if you don’t install them they can come back and bite you other ways…

  3. Brian

    How about some credit for Natalie Silvanovich
    ( @natashenka )

    1. BrianKrebs Post author

      For sure! I’ve added a mention of her contribution to the story. Thank you!

  4. Ron G

    I think that it will qualify as actual “news” when and if a week ever goes by *without* any new critical security bugs being discovered and/or patched in Adobe Flash Player.

    After years of trying to keep up with the constant non-optional security updates to this deeply flawed product, one cannot help but wonder if Adobe has a set of untrained (and underpaid) chimpanzees developing and maintaining this product.

    1. ASitte

      The next question to ask is: Why is anyone continuing to deploy Adobe Flash on the systems they use, or in the solutions they are creating?
      If a product is flawed to the point of being dangerous, we should stop using it no matter how aesthetically pleasing it may seem.

      Remember, all Flash truly provides is an efficient web delivery platform for visual presentation of information or entertainment content. Their continued existence is purely based on “first-to-market” dominance.

      Analogy: Steel Lawn Darts. An enjoyable lawn toy that was on the market for years, but too dangerous to make or sell anymore.

      1. Flash Blarg

        Some applications require flash to work. I know of a CCTV/video monitoring application, as well as a payroll application that are built in flash. These are commercially developed and supported products. I’m sure there are plenty of others.

        For some sysadmins, it’s a business decision that they are not involved in, but must install/maintain/support.

  5. Nerv

    How’s things?, sometimes I see a 404 server error when I view your website. I thought you may wish to know, best wishes

  6. Chris Pugson

    Neither of my Windows 7 systems were offered the update for Internet Explorer 11 (KB4018271). One of them was however offered KB3008923 which was an update for Internet Explorer released in January 2015.

    Am I correct in believing that Internet Explorer updates are not now included in the big roll-up?

    1. Eaglewerks

      My version of IE — Version 11.296.15063.0 (updated version 11.0.42 KB4018271) — did fully update, but I am running one of the newer versions of Windows 10. Because of your OS version you may have encountered a situation where you need to manually upgrade your version of Internet Explorer 11 on each of your machines.

      You might try:
      http://www.wikihow.com/Update-Microsoft-Internet-Explorer

      My system is running:
      Windows 10 Pro, Version 1703, OS Build 15063.296, 64-bit operating system, x64-based processor.

  7. Eaglewerks

    Everything installed without difficulty in the background yesterday. I am finding that my version of Windows only downloads the portion of fixes that are required, making most patches and fixes much swifter than with the earlier builds I ran. I did manually apply Adobe fixes to my edition of Firefox, which is set to always ask for permission to open any Flash application encountered. If I am required to use Flash, I prefer to use Edge for that encounter. Other than that I generally use Firefox for my general use. If “FVD Speed Dial” ever becomes available on Edge I would probably fully migrate to use of Edge as my browser.

    Windows 10 Pro, Version 1703, OS Build 15063.296, 64-bit operating system, x64-based processor.

  8. Scott

    Brain, Just a quick comment about Microsoft’s out-of-band fix for their antimalware engine.

    Microsoft should not be overly credited for their quick turnaround time. Although I applaud the short turn around time period itself, Microsoft integrates engines updates into their definition updates. The big plus for Microsoft is that they could release an antimalware engine update and instead of going through the normal “Microsoft Updates” process, the engine was updated with the normal antimalware definitions.

    I applaud the turn around time; however, what I am saying is that Microsoft should not been given too much credit, since their update procedure was a simple fix on their end and an even easier installation for the users.

  9. Scott

    Brian, I am also fairly certain the only way to update flash on Chrome OS is through the integrated Chrome OS updater. I have look for any way to manually force an update, but have yet to find any, other than waiting for Google to release an update integrated into the Chrome OS itself.

    1. BrianKrebs Post author

      That’s correct. Chrome updates Flash through the browser automagically, but you may still have to restart the browser for the updates to be in place. If you notice an orange or red arrow within a circle next to the three dots to the right of the URL/address bar, it’s a sign that an update for Chrome is available for install. Click it and choose restart the browser.

      Btw, this information was included in the last paragraph of the story:

      Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

      1. Scott

        Brian, I do not disagree in the least bit, I was just concerned that his phrase could be misleading to ChromeOS users:

        “The latest Flash Player, v. 25.0.0.171 for Windows, Mac, Linux and Chrome OS, is available from this link.”

        The linked page has no option to download flash for ChromeOS. That is the point I was trying to make.

        Thank you for the info about the pending ChromeOS updates. I was not aware of that, as I only sparingly support a few ChromeOS users.

  10. charls

    first of all, windows update get cumulative security update fon internet explorer 11, 24 hours after wu get the others patches monthly security and quality rollup, May 2017 quality and rollup . NET framework, malicious removal tool May.

  11. Anon91023

    ALL the more reason to use Qubes OS.

  12. Arbee

    Flash LSOs also known as Flash cookies

    I signed up for a web-based service and dutifully read the Terms of Use and Privacy Policy. Okay, I know that’s weird; bear with me.

    The Privacy Policy reminded me about Flash cookies.

    It’s been years since Flash has been installed on any computers for which I’m responsible. Indeed, the current batch of equipment has never had Flash installed.

    The Privacy Policy paragraph that mentioned Flash cookies concluded with:

    To learn how to manage privacy and storage settings for Flash cookies click here:

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117118

    That web page of course requires … wait for it … Flash!

    Without Flash installed, is there any way to check for / manage / delete Flash cookies? If Flash isn’t installed, does that preclude a site from placing Flash cookies?

  13. Kelli Emerson

    Does this update cause IE to not recognize Chrome? When I open Google on IE, it gives the “Get Chrome” header at the top, and it wants me to update my default search engine to Google, which is the only SE I have in IE. Thanks!

  14. STEVEN BRIAN JOYNER

    I’m fighting to reclaim myself and all the hate to live free from a life of stolen success

Comments are closed.