Adobe and Microsoft both on Tuesday released patches to plug critical security vulnerabilities in their products. Microsoft’s patch bundles fix close to 80 separate security problems in various versions of its Windows operating system and related software — including two vulnerabilities that already are being exploited in active attacks. Adobe’s new version of its Flash Player software tackles two flaws that malware or attackers could use to seize remote control over vulnerable computers with no help from users.
Of the two zero-day flaws being fixed this week, the one in Microsoft’s ubiquitous .NET Framework (CVE-2017-8759) is perhaps the most concerning. Despite this flaw being actively exploited, it is somehow labeled by Microsoft as “important” rather than “critical” — the latter being the most dire designation.
More than two dozen flaws Microsoft remedied with this patch batch come with a “critical” warning, which means they could be exploited without any assistance from Windows users — save for perhaps browsing to a hacked or malicious Web site.
Regular readers here probably recall that I’ve often recommended installing .NET updates separately from any remaining Windows updates, mainly because in past instances in which I’ve experienced problems installing Windows updates, a .NET patch was usually involved.
For the most part, Microsoft now bundles all security updates together in one big patch ball for regular home users — no longer letting people choose which patches to install. One exception is patches for the .NET Framework, and I stand by my recommendation to install the patch roll-ups separately, reboot, and then tackle the .NET updates. Your mileage may vary.
Another vulnerability Microsoft fixed addresses “BlueBorne” (CVE-2017-8628), which is a flaw in the Bluetooth wireless data transmission standard that attackers could use to snarf data from Bluetooth-enabled devices that are physically nearby and with Bluetooth turned on.
For more on this month’s Patch Tuesday from Microsoft, check out Microsoft’s security update guide, as well as this blog from Ivanti (formerly Shavlik).
Adobe’s newest Flash version — v. 27.0.0.130 for Windows, Mac and Linx systems — corrects two critical bugs in Flash. For those of you who still have and want Adobe Flash Player installed in a browser, it’s time to update and/or restart your browser.
Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).
Better yet, consider removing or at least hobbling Flash Player, which is a perennial target of malware attacks. Most sites have moved away from requiring Flash, and Adobe itself is sunsetting this product (albeit not for another long two more years).
Windows users can get rid of Flash through the Add/Remove Programs menu, unless they’re using Chrome, which bundles its own version of Flash Player. To get to the Flash settings page, type or cut and paste “chrome://settings/content” into the address bar, and click on the Flash result.
As always, thank-you Brian!
For those who may find it useful, here’s the September 2017 Patch Tuesday rundown from the SANS Internet Storm Center: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+September+2017/22816 .
Also, FWIW, here is Woody Leonhard’s overview on this month’s patches: https://www.computerworld.com/article/3224390/microsoft-windows/bloated-patch-tuesday-brings-fix-for-nasty-wordrtfnet-vulnerability.html .
“BlueBorne” is much more than just Microsoft (but hats off to Microsoft silently patching in two months ago). Android, Linux, and iOS are all affected with one or more CVEs.
https://www.kb.cert.org/vuls/id/240311
Adobe also issued updates for Acrobat/Reader and AIR.
Kinda expected to see this post yesterday as usual, but I understand if the Equifax situation has been on the front burner.
The only update issued for Acrobat/Reader was applicable to DC, not the earlier editions – last bulletin was in August.
https://helpx.adobe.com/security.html#acrobat
http://supportdownloads.adobe.com/product.jsp?product=10&platform=Windows
All I can say is that it made for an interesting morning at work. As soon as co-workers started showing up, the phone lit up with sundry emails, calls, and texts. The print queue is very slow, we can’t get into the network drive, the vpn is down, etc. Wound up having to reboot servers, sometimes more than once, to get things back shipshape.
Though I preach the necessity of updates regularly, and practice that preaching, I sometimes dread Microsoft’s Update Tuesdays!
Hi there, You’ve done an incredible job. I’ll certainly digg it and personally recommend
to my friends. I am sure they will be benefited
from this web site.
Hi there, You’ve done an incredible job. I’ll certainly digg it and personally recommend
to my friends. I am sure they will be benefited
from this web site.
Whenever I see this headline I think of that scene in LA Story where the weatherman just records the weather forecast and plays it every day instead of showing up for work.
I realize the headline for this is often the same or similar, but I do still have to spend time reading and digesting the advisories, etc. It’s not a total cut and paste job you know 🙂
It would be funnier if you could just hit the “#23” macro and post the exact same story each time. The details are pretty much identical each round.
Microsoft Edge on Windows 10 has built-in Flash as well. The Microsoft update will include any Flash updates for that.
Edge uses only the built-in AX flavor of Flash — as Brian notes, if you use any other type of browser you must separately/manually install the appropriate non-AX flavor.
After I’d installed the MS patches on my Win7 Ultimate desktop (in batches, holding the .NET for last) and rebooted, everything seemed to go nominally for the remainder of Tuesday, and at the end of the day it shut down normally. Wednesday morning on boot the “Configuring Windows” screen came up with a 100% indicator and the usual warning not to turn it off, but it seemed to have hung up because that screen stayed unchanged for far too long.
Rather than force the issue, I used a laptop (Win10 that had absorbed/processed the previous day’s downloads and installed everything okay) to see what best to do in such circumstances, and was still reading through various options about 15 minutes later when that ‘configuring Windows’ screen finally disappeared and the normal login screen was presented. I logged in without issue and have not seen evidence of any further glitches or odd OS behavior, but it was certainly an unusual pattern for a Patch Tuesday.
BLUETOOTH VULNERABILITY AFFECTS ALL MAJOR OS
https://hackaday.com/2017/09/14/bluetooth-vulnerability-affects-all-major-os/
Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.
The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.
Forgive me if this is a stupid question…
But wouldn’t this vulnerability impact automobiles that have BlueTooth functionality??
I’m able to connect my phone with my 2015 MiniVan via BlueTooth.
Why is not the solution (Hack-o-Fax) to increase
their data base X4, so when data is indeed stolen
80% of all files are phony??
Their head of data security has a music major !!!!
This firm needs to get cremated !
I must give you all a warning that the Armis BlueBorne Scanner Android app is not fully effective at detecting devices around you that may be vulnerable. It can only detect devices that are actively in discover mode. The BlueBorne vulnerability however is able to spread (they claim) to any device that has bluetooth turned on, not just in discover mode. I have confirmed this scanner cannot detect all bluetooth devices. Here is something I wrote in another forum:
I installed this on an unused Motorola that the scanner claims is not vulnerable (my phone is so I didn’t want to use it). After testing out this scanner I do not recommend using it to see if there are vulnerable phones around you. Why? Because it can only detect phones (or other devices) that are in discover mode. Yet the BlueBorne vulnerability also can attack (or so claimed) devices that are NOT in discovery mode. So this scanner cannot even detect most devices.
I can confirm, that I had to put 3 cell phones I posses into discover mode before the Armis scanner even saw them. Same with my car’s Sync, I had to start a discover session before it was found. Also I went to the cafeteria at work where there were about 25 people and the scanner didn’t detect a single phone. I then took a long way back to my office and the scanner only detected 4 devices: Two bluetooth enabled pedometers, a laptop and one Samsung phone.
I really appreciate this blog and all the comments. Not saying I understand it all but it sure makes me realize how serious this is. Thank you all!
it is one of the best place to learn about the latest security threat developed by the people so thanks for sharing such a nice information
FireEye said the .Net zero day involved an RTF document that was opened in MS Word.
I wish .Net had a master on/off checkbox to keep it disabled until needed. Win 7 comes with .Net 3.5. but I don’t have anything that uses it. On my system, I do need .Net 4.5 for TurboTax. And I only need that for a few weeks out of the year.
The Security tab of the Control Panel for Java has on on/off switch for running it in the browser. .Net needs something similar.