July 11, 2017

It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities.

brokenwindowsThe updates from Microsoft concern many of the usual program groups that seem to need monthly security fixes, including Windows, Internet Explorer, Edge, Office, .NET Framework and Exchange.

According to security firm Qualys, the Windows update that is most urgent for enterprises tackles a critical bug in the Windows Search Service that could be exploited remotely via the SMB file-sharing service built into both Windows workstations and servers.

Qualys says the issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1.

“While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.” Qualys notes, referring to the recent rash of ransomware attacks which leveraged similar vulnerabilities.

Other critical fixes of note in this month’s release from Microsoft include at least three vulnerabilities in Microsoft’s built-in browser — Edge or Internet Explorer depending on your version of Windows. There are at least three serious flaws in these browsers that were publicly detailed prior to today’s release, suggesting that malicious hackers may have had some advance notice on figuring out how to exploit these weaknesses.

brokenflash-aAs it is accustomed to doing on Microsoft’s Patch Tuesday, Adobe released a new version of its Flash Player browser plugin that addresses a trio of flaws in that program.

The latest update brings Flash to v. 26.0.0.137 for Windows, Mac and Linux users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). A green arrow in the upper right corner of my Chrome installation today gave me the prompt I needed to update my version to the latest.

Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.


29 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. IRS iTunes Card

    I had a problem with my Windows 8.1. installing the July security roll up. It took me three attempts and two reboots.

  2. Charlie

    Two comments:

    1, The link above for the former “Flash Player version tracker” [http://www.adobe.com/software/flash/about/] no longer tells you which version has been installed on your system. It lists the latest versions for various operating systems but doesn’t say which one is installed.

    2, On my Macintosh, I updated (as I usually do) using the Flash Player control panel under “System Preferences”. After completing the update, I found that the update had changed some of my preferences to less secure options, without notifying me or asking my permission. Namely, “Block all sites from using the camera and microphone” was changed to “Ask me when a site wants to use the camera or microphone”; and “Block all sites from using peer-assisted networking” was changed to “Ask me when a site wants to use peer-assisted networking”. Readers of this blog should be aware that you may have to go back and manually reset those preferences to the more secure options.

    In addition, following Brian’s advice, I set my browser preferences to block all sites from using Flash, other than a very few highly trusted websites that I have approved in advance.

  3. JPTX

    An alternative Flash version verifier page can be found here:

    https://helpx.adobe.com/flash-player.html

    It provides a simpler interface that should easier for non-technical types to determine how to verify or update their browser’s version of Flash.

    1. Charlie

      The verifier cited above only shows the first three segments of the version number, i.e. just “26.0.0” instead of “26.0.0.137”.

      1. Steve

        That’s true… at first. But after you click the “Check Now” button, and the short version info is displayed, look above the info for a gray box that may or may not have the “click to activate Flash” icon, and click that. Then the full version will appear below.

    2. Ole Juul

      Just tried that.
      “Sorry, Flash Player is either not installed or not enabled.”
      Great, … I’m all up to date then!

  4. JCitizen

    Adobe auto-updated as usual – now if Microsoft would just learn to do that on time?!

    I had to check for my Office and Rollup update manually. They never seem to want to let it go until Wednesday for some reason. Cheap on bandwidth, I suspect.

  5. xhesscanoe

    While Chrome, Opera, and Firefox are now updated to Flash 26.0.0.137 for me, on Windows 10 Home x64 Both Edge and IE11 still show Flash at 26.00.120 . Apparently Microsoft did not update EDGE and IE11 today.

    I also updated Adobe Acrobat Reader DC today to 2017.009.20058 for those using that product.

    1. chesscanoe

      It is nice to see Microsoft on 2017-07-12 makes Windows Update bring Edge and IE11 to 26.0.0.137 with KB4025376. Finally on a Version par with whet has been available for Chrome, Firefox, and Opera.

  6. Andrew Rossetti

    There was also an update to Adobe Reader as well.

  7. Aurangzeb

    The best thing about flash player is that I can play online games (flash games). But alas it’s not secure so I have completely uninstalled it, sometimes I miss those games, but hey! I miss a lot of other things too, missing one more thing is not so difficult! 😛

    I suggest game programmers to please start using javascript with webgl and canvas etc. They can create awesome games in javascript too, and transporting flash stuff into javascript should not be that difficult if they have the source code.

  8. Mike

    The recent security update for Adobe, distributed by and with the Windows 10 update made my Firefox Browser crash on start. After one hour searching for solutions, I removed the update manually and now Firefox is starting again (Flash was the most recent version).
    Microsoft just installs updates with a restart or shutdown. I even have no choice here. Do I need to uninstall the same corrupt update again and again until it’s finally fixed?
    I don’t trust Microsoft anymore. They ‘force’ too much, install many unwanted programs and almost every recent update caused problems. I hope for a strong comparing company that will give us a Windows compatible alternate platform. And yes, Flash being fully replaced with HTML video and the like would be welcome. I had NEVER another software that needed so many updates as this one. Just bad!

    1. rayy

      I think you actually have some control over Windows updates–check out “Windows Update” under “help and support”.

    1. Mike

      I love that page.

      Essentially what the bottom of the page means is this.
      “When all else fails, here’s a simple, straightforward link to download a plain, full installer, instead of downloading a tiny program after selecting an option for extra stuff or not, and the tiny program downloading the installer in parts. We apologize that we use such a convoluted method.”

  9. Pat

    I’m checking for problems reported after installing Windows update (automatically). I’ve not seen this reported: Was unable to use Edge to get to internet last night. Only able to get through to Gmail. May have been cable modem problem discovered afterwards. Did shutdown and then restart. Finally able to connect to Facebook but not everything back to normal. It took a couple of shutdowns AND restarts last night and this morning before completely getting back to normal. Seems odd that I lost access to Edge browser temporarily. Oh yeah, Flash was updated to 26.0.0.137 Were problems with Edge just me?

  10. Tristan

    After the update automatically took place i came back to my computer on a recurring blue screen loop… i had to restore my system back a few days to fix the forced update. Thanks windows

  11. EndUser

    To update Flash player within Google Chrome, or to see if it has been successfully updated after trying Brian’s above method, type the following into the address bar.

    chrome://components.

    You will see Adobe Flash Player. Click “Check for Updates” button. It will cause it to manually check uf there is an update available, if so it will download and install it. I just did it myself.

  12. Drone

    Ugh another Patch Tuesday. That means another period of hours when the computer is unusable. Why does updating Windows 10 take so damn long?

    Linux Mint never takes more than ten minutes or so to update, even if I don’t let it update for weeks on end. Windows 10 takes forever in comparison and I really can’t control when it happens, which a Disaster when I’m on the road with a laptop and a slow very expensive connection (I live mostly in developing countries, like the other 90% of the people in the World).

    In fact, updating Windows 10 is so painful, I’ve stopped using Win10 mostly these days and boot into Linux instead. It’s at the point where the only time I boot Windows anymore is when I’m forced to by a particular Windows-only application, or when it’s time to do attempt the Dreaded Windows Update.

    Epic Fail Microsoft! I’m tired of fighting with Windows Update.

  13. mr.quin

    dear sir.mir fellow Krebs.
    at the end of this year you should
    make like TOP 3 Frauds;scams or etc. Like to read about wich is most badly like wich one done the most damage?
    And also you should make list of who got the longest jail time?
    Im sure the blog readers would love that stuff to read about it.
    i always drink beer and smoke some sigarerets the time i read your blog keep doing what you doing. Im sure even fellow crooks fraudsters have big respect on you !!

  14. Angela

    After installing latest Windows 10 updates, all of my internet browsers crash. It will not allow me to uninstall any updates or roll back to the previous version. Edge, Chrome, Explorer and Firefox are all useless now. Any ideas on how to fix this?

    1. Mike

      Uninstall your Antivirus (likely you use Comodo). Then reinstall the newest version. Solved it in my case. Recent Windows updates are not compatible with third party Antivirus programs (see https://support.mozilla.org/en-US/questions/1167444). Another strategy to get people to use THEIR stuff? Windows updates should be checked for compatibility with common third party programs!

  15. Trevor Jenkins

    Last month’s MS updates wiped out synchronisation of Outlook 2007 calendars and contacts to Apple devices through iCloud with no resolution from either MS or Apple on the horizon without reintroducing the vulnerability that the update sought to address.
    Now today’s release has resulted in not being able to connect to the internet at all.
    There isn’t even a setting on Windows 10 Home to prevent automatic installation of Windows updates.
    Surely the time has come for authorities to take action against MS? Brian Krebs are you up for a challenge?

  16. George G

    When I read the article I went to do the updates.
    (W10, x64 Dell laptop).
    Two Windows updates installed on July 12.

    Then on July 14 I got failures for these two repeatedly:

    Microsoft .NET Framework 4.7 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB3186568)
    Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4015438)

    This morning I successfully installed the NET Framework update, but when I go to try for the second one (Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4015438)) Windows tells me that my system is up to date.

    Any ideas what is going on here?

  17. fl0ppy

    i just read this to drink the sweet sweet nectar of frustrated windows user’s tears.

Comments are closed.