November 14, 2017

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

Adobe issued patches to fix at least 62 security vulnerabilities in its products, including several critical bugs in Adobe Flash Player and Reader/Acrobat.  The Flash Player update brings the browser plugin to v. 27.0.0.187 on Windows, Mac, Linux and Chrome OS.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.


16 thoughts on “Adobe, Microsoft Patch Critical Cracks

  1. Wm Buxton

    A much better idea is to un-install Flash and then never install it again.

  2. Cog

    The windows update also fixed the bug in the fall creators update that killed the start menu and windows apps for most, and the start menu and Microsoft Edge for me.

  3. bjkeefe

    Good to see you’re once again doing posts about MS’s Patch Tuesday! That’s how I originally discovered you, back in your WaPo days.

    (I apologize if I haven’t noticed other similar posts in previous months.)

  4. Wullubey

    Looks like you’ve linked to 11848 twice, one of the 4 publicly disclosed is CVE-2017-11827 | Microsoft Browser Memory Corruption Vulnerability

  5. nathan pate

    There WAS an add-on called FlashDisable which was great, but the new, latest version of Firefox does not support, and disables it.

  6. bobl

    “Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. ”

    For those of us still running XP, will this fix work for us? I have both Win7 and XP machines

    1. Tom R.

      Windows XP is no longer supported or updated with either security or performance enhancements. Your XP devices will forever be vulnerable to attack. It’s well past time for hardware and software upgrades to permanently secure your computing environment.

      1. Robert T

        Replacing XP is easier said than done. There are a fair number of embedded systems running XP Embedded. Unlike desktop systems, these devices are often remote and replaced only when they can’t be fixed. M$ released Windows 2009 Embedded which is, essentially, XPE with SP3. The boot screen still says XP.

        In my line of work, I am aware of systems still running DOS software on ‘286-based boards. And these devices aren’t the oldest computer-based systems running in this market.

        Even more recent systems dead-end at Windows 7 Embedded as Windows 8, et. seq. will not run on the Pentium-class, single-core processors in newer units.

        Old as they are, many are connected to networks, public and private.

    2. Stratocaster

      I agree with Tom R. If you are still running XP (support ended in April 2014, three and a half years ago!), the KRACK vulnerability is pretty low on your list of worries.

      I have an XP notebook (Wi-Fi disabled) which I use to back up my Palm Pilot (it still works fine) and run a few other pieces of legacy software which won’t run on Windows 10. Like most such machines, it was too underpowered to update to Windows 7.

  7. JellyToast

    I use the flashcontrol extension for chrome and it gives you very granular control over flash. You can also use windows registry to control flash by domain

    HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\AllowedDomains\

  8. Angelina MAI

    Every relationship needs to have trust, so also needs to have openness and accountability. It is the same for me when i am on the phone. It is how we are accountable, how we maintain the trust between us. A pattern of not hiding, being accountable and open builds the trust. You deserve to know the truth, mail botspyATcyberservicesDOTcom save yourself time and emotion wasted on a cheating partner. To confirm for sure if he is cheating, I will suggest you employ the services of botspyATcyberservicesDOTcom hacker and a private investigator who does it better. botspyATcyberservicesDOTcom offers a wide range of discreet hacks including – Text messages, call records, voice call recording, Facebook, Hangout, Twitter accounts, Snap chat messages, instagram, facebook, email, twitter, whatsapp, kik, meetme, snapchat, wechat, hike etc You would be surprised how much information you can uncover from a person’s phone with the services of botspyATcyberservicesDOTcom tell him Jane referred you and you can thank me later .

  9. Debbie Kearns

    Well, I installed the Security Monthly Quality Rollup for Windows 8.1 (KB4048958) and the Security Update for Adobe Flash Player, but after many minutes of installing these patches, the screen was forever stuck on “Restarting…”, and I had to force-turn off my computer before turning it back on. After a few minutes it finally rebooted and the updates were installed successfully before I started my computer. Has the issue ever happened to you?

  10. Patrick Dreier

    Hello!

    Windows 8.1 is not good.

    With king regards!

  11. Patrick Dreier

    Hello!

    XP Support is endet is not good for User.
    Microsoft you are creating security holes. What is this actions delete Servicepack 3 very stupid.

    With king regards!

  12. rondity

    Install an addon that disables JavaScript, as well as Flash Player and any other software like it. Enable only when necessary. However, since Adobe intends to kill Flash Player by 2020, it would be good to look for alternatives, and also to hope that HTML5 support for animations, video as is currently catching on will not be a security nightmare as Flash Player has been (Adobe just released a patch to fix 62 vulnerabilities!).

Comments are closed.