December 12, 2017

The final Patch Tuesday of the year is upon us, with Adobe and Microsoft each issuing security updates for their software once again. Redmond fixed problems with various flavors of WindowsMicrosoft Edge, Office, Exchange and its Malware Protection Engine. And of course Adobe’s got another security update available for its Flash Player software.

The December patch batch addresses more than 30 vulnerabilities in Windows and related software. As per usual, a huge chunk of the updates from Microsoft tackle security problems with the Web browsers built into Windows.

Also in the batch today is an out-of-band update that Microsoft first issued last week to fix a critical issue in its Malware Protection Engine, the component that drives the Windows Defender/Microsoft Security Essentials embedded in most modern versions of Windows, as well as Microsoft Endpoint Protection, and the Windows Intune Endpoint Protection anti-malware system.

Microsoft was reportedly made aware of the malware protection engine bug by the U.K.’s National Cyber Security Centre (NCSC), a division of the Government Communications Headquarters — the United Kingdom’s main intelligence and security agency. As spooky as that sounds, Microsoft said it is not aware of active attacks exploiting this flaw.

Microsoft said the flaw could be exploited via a booby-trapped file that gets scanned by the Windows anti-malware engine, such as an email or document. The issue is fixed in version 1.1.14405.2 of the engine. According to Microsoft, Windows users should already have the latest version because the anti-malware engine updates itself constantly. In any case, for detailed instructions on how to check whether your system has this update installed, see this link.

The Microsoft updates released today are available in one big batch from Windows Update, or automagically via Automatic Updates. If you don’t have Automatic Updates enabled, please visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

The newest Flash update from Adobe brings the player to v. 28.0.0.126 on Windows, Macintosh, Linux and Chrome OS. Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.


25 thoughts on “Patch Tuesday, December 2017 Edition

  1. JF

    “The Microsoft updates released today are available in one big batch from Windows Update, or automagically via Automatic Updates.”

    – automagically – is that a joke or a typo? 😉

    1. Tom Welsh

      It’s an old joke that has become quite commonly used.

      1. Thrael

        An old joke that makes me want to slap whoever still uses it. I’m looking at you, Glen, the database guy in my office.

    2. Jamison

      au·to·mag·ic·al·ly

      ôdəˈmajək(ə)lē

      adverb informal
      adverb: automagically
      (especially in relation to the operation of a computer process) automatically and in a way that seems ingenious, inexplicable, or magical.

  2. JimV

    There’s also an update for Adobe AIR, bringing it to v28.0.0.127.

  3. LC

    I’m pretty sure this update keeps giving me a “critical process died” error resulting in the BSoD. I’ve run system check and disk repairs but everything comes back ok until the update automatically starts.

  4. Jan van Zanten

    This update broke Chrome browser. I need to click 8 error messages away before it loads. Might be plugin related.

  5. George G

    Maybe someone can offer a tip on what is going on …

    Laptop w/W10 runs auto update w/o any problems.

    Desktop w/W7 Home Premium is another matter.

    1.Go to Control Panel – Windows Update
    Hourglass runs and runs. Needed Task Manager to stop it.
    2. Restart computer
    3. Go to Control Panel – Windows Update
    4. Click on Check for Updates
    5. Message comes up:
    Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer.
    6. Shut computer down, then start up.
    7. Repeat Steps 3 & 4
    8. Result as in Step 5

    1. TeeCee

      Seems Microsoft screwed up and let an authorization file for Microsoft Update expire. This broke Windows Update for many Win 7 machines around December 2 (the expiration date). It is supposedly fixed now, but one solution that worked for me and several other machines at my company was: Change the update setting to “Never check for update” and then back to “Install updates automatically.” No restart is needed or anything, just taking those 2 actions resolved it.

      Here’s a link with some additional details if you’re interested:
      https://www.askwoody.com/forums/topic/windows-update-in-win7-now-appears-to-be-working-properly/#post-150083

    2. George G

      Searched for and found solution that worked:

      Click Start
      Type: cmd
      Right click on cmd in start menu and select ‘Run as Administrator’
      Type: net stop wuauserv
      Hit Enter
      Type: ren c:\windows\SoftwareDistribution softwaredistribution.old
      Hit Enter
      Type: net start wuauserv
      Hit Enter
      Type: exit
      Hit Enter

  6. Jim

    You have to run the mrt command first, prior to updating. My Asus q551 makes me run Asus update prior to the mrt command. Different toys, different ways to play games with the end user.

    1. George G

      Sorry for the ignorance, but what is the mrt command?
      Malicious software removal tool?

      BTW, the machine several years old and never had this problem before.

    2. George G

      Ran the malicious software removal tool. It did not find anything.

      Then went to Control Panel -> Windows Update again.
      Same end result as before; hourglass for ever. Needed Task Manager to stop the hourglass.

  7. Don L

    It broke the Scan to Email feature on all 7 of our Snapscan ix-500’s. It returns a 0x001a error, sending email failed. I also tried it from word, but haven’t used it in a while, so I’m not sure if related.

  8. Shinki-itten

    I installed the patch last Tuesday night on a computer running Windows 7, but now the computer stalls just before log in. I cannot boot into safe mode either and all recovery disk options (such as system restore and return to last successful boot) have failed. There are no hardware failures.

    1. Shinki-itten

      At reboot from the patch, my drive letters are changed. Windows is now on drive E, instead of. I cannot boot. The Seven Forums solution did not work.

  9. Catwhisperer

    It’s so ironic an funny that 30 years down the road, Micro$oft can’t STILL get their update act together. It’s astounding, actually, but it keeps us IT guys and computer geeks in business. It got so bad on our Dell PowerEdge servers that I created a scheduled task to reboot them the second Wednesday (Crash Wednesday) morning of every month before staff comes in. Seems to be saving quite a bit of worker down time, BTW. Speaking honestly, I also run Ubuntu 16.04, and Kali Linux on my personal computers and I can’t remember the last time that an update broke something. You’d think Micro$oft would take the hint…

  10. Hussar

    A security blog reporting a windows patch? Is Krebs supporting Windows as a main operating system even in light of all the key logging and microphone recording strategies these major companies are implementing to gather data and track users?

  11. Ross West

    This is amazing stuff. It has helped me permanently fix multiple Windows machines that suffered from the “never-ending Windows Update searching for updates” issue. Thanks for sharing this article.

  12. Ali

    After this update, i am facing a problem with chrome browser. getting an error before chrome loading.

Comments are closed.