June 13, 2017

Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without.

brokenwindowsAccording to security firm Qualys, 27 of the 94 security holes Microsoft patches with today’s release can be exploited remotely by malware or miscreants to seize complete control over vulnerable systems with little or no interaction on the part of the user.

Microsoft this month is fixing another serious flaw (CVE-2017-8543) present in most versions of Windows that resides in the feature of the operating system which handles file and printer sharing (also known as “Server Message Block” or the SMB service).

SMB vulnerabilities can be extremely dangerous if left unpatched on a local (internal) corporate network. That’s because a single piece of malware that exploits this SMB flaw within a network could be used to replicate itself to all vulnerable systems very quickly.

It is this very “wormlike” capability — a flaw in Microsoft’s SMB service — that was harnessed for spreading by WannaCry, the global ransomware contagion last month that held files for ransom at countless organizations and shut down at least 16 hospitals in the United Kingdom.

According to Microsoft, this newer SMB flaw is already being exploited in the wild. The vulnerability affects Windows Server 2016, 2012, 2008 as well as desktop systems like Windows 10, 7 and 8.1.

The SMB flaw — like the one that WannaCry leveraged — also affects older, unsupported versions of Windows such as Windows XP and Windows Server 2003. And, as with that SMB flaw, Microsoft has made the unusual decision to make fixes for this newer SMB bug available for those older versions. Users running XP or Server 2003 can get the update for this flaw here.

“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” wrote Eric Doerr, general manager of Microsoft’s Security Response Center.

“Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” Doerr wrote. “As always, we recommend customers upgrade to the latest platforms. “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”

The default browsers on Windows — Internet Explorer or Edge — get their usual slew of updates this month for many of these critical, remotely exploitable bugs. Qualys says organizations using Microsoft Outlook should pay special attention to a newly patched bug in the popular mail program because attackers can send malicious email and take complete control over the recipient’s Windows machine when users merely view a specially crafted email in Outlook.

brokenflash-aSeparately, Adobe has issued updates to fix critical security problems with both its Flash Player and Shockwave Player. If you have Shockwave installed, please consider removing it now.

For starters, hardly any sites require this plugin to view content. More importantly, Adobe has a history of patching Shockwave’s built-in version of Flash several versions behind the stand-alone Flash plugin version. As a result Shockwave has been a high security risk to have installed for many years now. For more on this trend, see Why You Should Ditch Adobe Shockwave.

Same goes for Adobe Flash Player, which probably most users can get by with these days just enabling it in the rare instance that it’s required. I recommend for users who have an affirmative need for Flash to leave it disabled until that need arises. Otherwise, get rid of it.

Adobe patches dangerous new Flash flaws all the time, and Flash bugs are still the most frequently exploited by exploit kits — malware booby traps that get stitched into the fabric of hacked and malicious Web sites so that visiting browsers running vulnerable versions of Flash get automatically seeded with malware.

For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today to version 26.0.0.126. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

Update, May 16, 10:38 a.m. ET: Microsoft has revised its bulletin on the vulnerability for which it issued Windows XP fixes (CVE-2017-8543) to clarify that the problem fixed by the patch is in the Windows Search service, not the SMB service as Microsoft previously stated in the bulletin. The original bulletin from Microsoft’s Security Response Center incorrectly stated that SMB was part of this vulnerability: rather, it has nothing to do with this vulnerability and was not patched. The vulnerability is in Windows Search only. I’m mentioning it here because a Windows user or admin thinking that turning off SMBor blocking SMB would stop all vectors to this attack would be wrong and still vulnerable without the patch. All an attacker needs to is get some code to talk to Windows Search in a malformed way – even locally — to exploit this Windows Search flaw.


54 thoughts on “Microsoft, Adobe Ship Critical Fixes

  1. Sasparilla

    Windows 7 & 8.1 June Security Only patch links

    Windows 7 Security Only June update:
    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4022722

    Windows 8.1 Security Only June update:
    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4022717

    Windows XP update:
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4024323

    Have to add the I.E. update link later.

    Glad to say Microsoft has updated their Catalog functionality and now you can download these updates with browsers other than I.E.. (Firefox worked for me, although you still might need an admin account if a user account has trouble)

    1. KFritz

      Typing “June 2017” into the Update Catalog, I found none of the links you show listed. I’ve been using the month/year search since late last year, and it’s always worked before. What search term did you use, please? Thanks for any info.

    2. KFritz

      Problem solved: “Security updates 2017.” “Security updates June 2017” doesn’t work. They’ll probably include the Security updates with the rest one of these days.

    3. KFritz

      Problem solved: “Security updates 2017.” “Security updates June 2017” doesn’t work. Perhaps they’ll have everything all in one place a little later.

    1. Porter

      I imagine someone is calculating costs. I imagine the costs are a lot higher if you don’t patch.

    2. Eric

      Less, because most people can’t be bothered to apply these things.

      Newer versions of Windows install them automagically.

      1. Dave

        @Eric: “Newer versions of Windows install them automagically”

        And then your PC goes into a bluescreen-reboot loop and instead of a few minutes with updates you lose many days rebuilding your system from scratch. Thanks, Microsoft!

        1. Dave Horsfall

          And against all advice, people still run Windoze… No, I am not a Penguin/OS advocate, and neither am I a Macoid.

            1. Nobby Nobbs

              Probably on an Amiga.
              When’s the last time you saw an exploit for that?

        2. Dani

          Hi Dave

          This blue screen loop is exactly what happened to my computer last night, when Windows 10 updated on it’s own. Now it shows the BSOD with “System Thread Exception Not Handled”
          All forum threads I searched about this issue were not working for my case.

          How do I get out of it? Is there a way to update with the patch from the loop advance mode? I can’t even access to the safe mode…

          Or should I just wipe out my machine, do a clean install and then add the patches…… (please no please no please no……)

  2. IRS iTunes Card

    Busy month for security updates !

  3. gary

    If I may rant, last month’s roll up for win 7 didn’t install. When MS provided each patch individually, I could find which didn’t work and investigate that patch. So the roll up is a terrible idea. Fortunately I use Linux and FreeBSD the majority of the time.

    1. timeless

      I finally fixed my problem by deleting the software distribution directory.

  4. BrianC

    FYI: Your link to “another serious flaw” doesn’t work.

  5. Chris Vail

    If this bug is in the wild for Windows servers, is the *nix community also responding for Samba?

    Samba is the Unix/Linux answer to Server Message Block. It adopts the Windows signaling system and adapts it to Unix/Linux. Samba is widely used in the server community to share data between Unix/Linux and MS operating systems. Those of us who have been using it for a number years are completely unsurprised at the discovery of this vulnerability. At issue then is how fast the Samba community will also issue patches and updates.

    It is not and never has been a secure protocol. It was not designed to be. It can be secured, but it is never easy or cheap, of course.

    It will be interesting to see if the FOSS community responds quickly to this threat.

    1. Jim

      That would depend on just what this problem is patching, wouldn’t it? Samba servers were not vulnerable to the eternalblue problem, and generally since the SMB service is inside the Windows kernel, but Samba servers run as processes outside the (Linux) kernel, I wouldn’t expect problems in one to automatically carry over to the other. Unless, I suppose, the problem was generic to the SMB protocol itself.

    2. Jason

      Linux fixes to ‘Eternal Red’ and a few other SMB flaws were fixed last week. IIRC

  6. na

    Microsoft running scared it seems, adding patches for all vulnerabilities in the June Shadowbrokers monthly dump. At least they finally decided to start patching EquationGroup 0-days. Eeeks.

  7. JCitizen

    Adobe silently updated to the new version without any effort from me. I’m glad Brian alerts us on this, because I’d never know it happened – unless I started constantly checking my flash version everyday.

    Thank you so very much Brian for these alerts – I’ve become very dependent on them!

    Come to think of it, Secunia popped up because for some reason Chrome didn’t auto update, so I should have checked Adobe also at the time. Chrome updated manually just fine.

    Despite Mozilla’s claim that this flash file would not be needed after version 53 was not correct – I still can’t get video to work without this NPAPI file on-board.

  8. cthulhu

    I may be just a dumb schlub, but it seems to me that there has been evidence of a cozy relationship between Microsoft and the Intelligence Community for quite a while (e.g. https://en.wikipedia.org/wiki/NSAKEY ).

    It seems that the quid pro quo might have been: the IC doesn’t harp on security weaknesses in Microsoft products and collects zero-days, while Microsoft patches security holes at its own schedule depending on public outcry and evades legal culpability for major vulnerabilities.

    The Shadow Brokers affair seems to have changed the calculus — after realizing that losing control of such a hoard of zero-days makes the NSA look extremely bad, the IC seems to have leaned on Microsoft with, “if pressed on these, we’re going to point the finger at how vulnerable your software was in the first place.” Microsoft, in return, has devoted considerable effort into improving their security — even w/r/t OS’s past their expiry date.

    The good news, I suppose, is that all those who escap the worst consequences will benefit from the new arrangements — Microsoft will compete with industry-wide security standards and the IC will hold a much smaller portfolio of unpatched security issues, and users will have more secure systems.

  9. Drone

    “Users running XP or Server 2003 can get the update for this flaw here.”

    What am I supposed to do withe links on that page? Which link is for this latest vulnerability in Windows XP for-example?

  10. Drone

    Studying the Microsoft mess further, something seems wrong with the table “Microsoft security advisory 4025685: Guidance for older platforms: June 13, 2017”. The latest MS17-013 is the “Security Update for Microsoft Graphics Component (4013075)”. But under MS17-013 column it lists KB4012583 which points to the previous MS17-010 which is last month’s “Security Update for Microsoft Windows SMB Server (4013389)”, which is the “Wanna Cry” SMB patch, not a Microsoft Graphics Component patch.

  11. Chris Pugson

    Microsoft sure does make it confusing to locate WannaCry relevant patches for XP. The years-old patches they refer to are already installed on my XP system which has been diligently and continuously patched since 2006. The patches offered are of identical size and MD5 to old patches with the same KB number. ???

    Is Microsoft actually reckoning that many old patches were never installed when they first became available?

    Windows update for XP is not helped when IE8 is not able to to open the Windows updates site. I receive the following message: –
    “Your browser is out-of-date
    You need to update your browser to use the site.
    Update to the latest version of Internet Explorer”

    Eh?

    IE8 could access the Updates site as recently as April 2017.

      1. SeymourB

        Interestingly enough, I only see the “Your browser is out of date” error on non-admin accounts. Its the same link in both cases but I think Microsoft changed the “you have to be an admin” error to something designed to instill fear in grandparents.

  12. CT_Yankee

    Got on my puter this am only to discover that my system had been totally restarted as a result of Microsoft’s latest update.

    This update essentially trashed all of my installed applications.

    Outlook was nowhere to be found.

    Why does Microsoft insist on installing updates WITHOUT my okay?

    1. Michel R.

      “Why does Microsoft insist on installing updates WITHOUT my okay?”

      Because you wrote “puter”. 😀

      It’s likely because so many people were NOT installing updates. I remember going to my niece’s place a few months after she got a Windows 7 PC a few years ago and she had not installed one single update. “I don’t install updates”, she said. I spent about 8 hours doing that for her. sigh

      Personally Windows updates have been less damaging than OS X updates. I think Apple have it in for me.

      1. Eric

        The problem is that they don’t know when things are going on and a reboot would be most unwelcome. So now they do it whenever they feel like it and you have to pick up the pieces afterwards.

        I was in a meeting once – ready to make a presentation, and my laptop decided to reboot after having installed updates without my knowledge. I had to scramble so I could make the presentation from a different computer.

  13. Andrea

    how do you update adobe flash in google chrome when the browser has not updated yet. thank any ones help will be helpful!

    1. Chris Pugson

      Enter “chrome://components” in the address bar and then then scan down the displayed page. Click the update button of any feature you want updating. Being insane, I click the lot.

    2. Chip Douglas

      In Chrome, click three small balls at top right of browser window, click help, click about Google chrome. Wait for download to finish and message to restart to finish, click restart. Adobe is updated simultaneously with Chrome.

  14. Tony

    Yikes! This is just Windows. Can you imagine the security holes left in internet connected medical equipment, automobiles, industrial controllers, and home entertainment devices. Yet we press forward rolling out this technology as if there is nothing to see here. Sloppy, sad, so wrong.

  15. h@zker

    Your blog is going down…nothing interesting to read anymore here..long time ago i use to read about eastern european cyber criminals…but now nothing interestong anymore to read here

  16. Jake

    Your blog is awesome! Always lots of interesting articles to read… long time ago it was mainly about eastern european cyber criminals… but now is so much more

  17. tim

    I started a critical update, my screen just keeps flashing “Hi”, This might take several minutes”We have some updates for your PC”,”Don’t turn off your PC”. Then it changes from black screen to blue screen, then back to black. Is this normal? Several minutes has turned into hours. What do I do?

      1. timeless

        Fwiw, this morning the computer I allowed Windows 10 to install the Creators Update indeed showed that message…

  18. Catwhisperer

    Thanks for the heads up Brian. A client is using Server 2003 and I have an XP bunny for penetration testing/play-around with Kali. Maybe this kind of notice will cause the client to feel a fire under his butt and upgrade to Server 2016 instead of 2012…

  19. Arbee

    I’m a few days late to this month’s party. Herewith a comment and two questions:

    First, this month, Microsoft appears to have adopted the Recommended-By-Brian-Krebs-Windows-Update-Sequence. The machines I’m wrangling all run W-7 Professional, some, 64-bit, others, 32-bit. All are set to “Check for updates but let me choose whether to download and install them”. On offer initially this month were

    2017-06 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4022719)

    and

    Windows Malicious Software Removal Tool x64 – June 2017 (KB890830)

    which both installed with no problems. Only after installing these packages (and rebooting) was

    Microsoft .NET Framework 4.7 for Windows 7 and Windows Server 2008 R2 for x64 (KB3186497)

    offered. The .NET Framework update also installed with no problems. This is consistent with advice I learned here: install .NET Framework updates separately / after other updates, but it’s the first time Microsoft has enforced this sequence. Dunno whether others experienced this; I read no mention of it.

    Second, twice in May (May 11 and again on May 23), Microsoft offered

    Windows Malicious Software Removal Tool x64 – May 2017 (KB890830)

    The update history log recorded the May 11 status as “successful”; same with the subsequent May 23 installation. Any comments on why this update showed up twice?

    Last, concerning Flash LSOs also known as Flash cookies

    Recently, I signed up for a web-based service and dutifully read the Terms of Use and Privacy Policy. Okay, I know that’s weird; bear with me.

    The Privacy Policy reminded me about Flash cookies.

    It’s been years since Flash has been installed on any computers for which I’m responsible. Indeed, the current batch of equipment has never had Flash installed.

    The Privacy Policy paragraph that mentioned Flash cookies concluded with:

    To learn how to manage privacy and storage settings for Flash cookies click here:

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117118

    That web page of course requires … wait for it … Flash!

    Without Flash installed, is there any way to check for / manage / delete Flash cookies? If Flash isn’t installed, does that preclude a site from placing Flash cookies?

  20. Jacob S

    Can someone elaborate on the outlook exploit? It sounds really serious.

  21. Gerald Wilcox

    Its just scary how much damage these people can do, the more I read this stuff the more I worry about every piece of data that I want to keep.

  22. bob

    FYI Adobe have updated Flash again and the latest version is 26.0.0.131

  23. kate

    After so many months of searching for a real hacker and getting ripped off i finally found this genius named Dark Web.This guru helped me erase and remove blemishes on my report,If you need to increase your score with excellent result i will advice you to get hold him because it’s services are affordable.I am recommend him so you guys can also share yours testimony just like i did too.(darkwebcyberservice@gmail.com) is the best programmer .. try him and get all your credit score increased and repair your website

Comments are closed.