August 8, 2017

Adobe has released updates to fix dozens of vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, it’s time once again to get your patches on.

brokenwindowsMore than two dozen of the vulnerabilities fixed in today’s Windows patch bundle address “critical” flaws that can be exploited by malware or miscreants to assume complete, remote control over a vulnerable PC with little or no help from the user.

Security firm Qualys recommends that top priority for patching should go to a vulnerability in the Windows Search service, noting that this is the third recent Patch Tuesday to feature a vulnerability in this service.

Qualys’ Jimmy Graham observes that many of the vulnerabilities in this month’s release involve the Windows Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems.

According to Microsoft, none of flaws in August’s Patch Tuesday are being actively exploited in the wild, although Bleeping Computer notes that three of the bugs were publicly detailed before today’s patch release.

Case in point: This month’s patch batch from Microsoft does not address the recently-detailed SMBLoris flaw, a vulnerability in all versions of Windows that can be used to remotely freeze up vulnerable systems or cause them to crash.

brokenflash-aFor those of you who still have Adobe Flash Player installed in a browser, it’s time to update and/or restart your browser. The latest version of Flash Player is v. 26.0.0.151 for Windows, Mac and Linux systems.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).

Better yet, consider removing or at least hobbling Flash Player, which is a perennial target of malware attacks. For more on how to do that and other ways to reduce your exposure to Flash-based attacks, see this post.

By the way, the bulk of the vulnerabilities that Adobe patched today were in versions of its Acrobat and Adobe PDF Reader software. If you use either of these products, please take a moment to update them today.

As always, if anyone experiences weirdness or troubles after installing today’s updates, please leave us a note about it in the comments.


19 thoughts on “Critical Security Fixes from Adobe, Microsoft

  1. IRS iTunes Card

    Firefox has released version 55 today also :–)

  2. JimV

    No update for AIR as of yet, but one should come shortly.

    1. Stratocaster

      The AIR update has been posted: 26.0.0.127.

      1. JimV

        That version dates from mid-July, and isn’t a new release.

  3. Peej

    SANS Internet Storm Center has taken the patch notifications from Microsoft and created a listing of the “bundle” close to what we had before the “time of the bundle.” Just in case you’re pulling your hair out trying to find all the details on the patch Tuesday dump.

  4. Rey Barry

    Adobe Flash again – as with the last update – reported it was unable to initiate the install on my Macbook Pro running El Capitan.

  5. zoxim

    Windows update shows an optional update: “July, 2017 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Server 2012 R2 for x64 (KB4032115)”
    It’s August. What’s that about?

  6. zoxim

    Has anyone tried using Microsoft’s “Virtual Agent” to request info? It’s amazingly useless.

    1. Moike

      The Microsoft “Virtual Agent” is hysterical when trying to solve a Microsoft account log in problem. The first step in every action is to “Log into your Microsoft account”.

  7. Drone

    Ugh, here we go again. Another 10-20 hours to update Windows 10 – and that’s if it works at all! Why does it take sooooooo long?

    1. Liquidretro

      It definitely should not take that long to update Windows 10 under any conditions (Assuming you have a reasonable internet connection). Have you checked the health of your hardware specifically hard drive or SSD?

      1. SeymourB

        Never discount RAM usage. Folks loooooove to open up three dozen tabs in Chrome, eat up all available RAM in their system, then complain that their system is slow when trying to do anything else.

    2. phatty

      10 to 20 hours to update win 10? …houston we got a problem

  8. Mahhn

    Has MS or Adobe ever had a finished (no more patches *needed) product that worked and wasn’t a hackers delight?

    You’d think MS would get an OS right after 30+

    1. trefunny

      not really a fair assessment considering they change OSes every few years and add backward compatibility to most of them at the end users request.

      and users want features/ease of use, more than security (this is now slowly changing)

  9. bitcoin anonymous

    adobe flash player now is a team division of microsoft, beacuse internet explorer 11 and his patches in cumulative security montlhy rollup integrated the genuine flash patch.

  10. Peteski

    Aaaaannnd it breaks application rendering.

    The July 2017 monthly and security only rollups from MS are causing numerous apps to not render when not on the primary monitor or if the monitors are arranged with the primary not in the top-left position (I think).

    Causes numerous issues for us already. Thanks MS. Really on a roll these last few months with the untested patches.

Comments are closed.