Dec 17

Patch Tuesday, December 2017 Edition

The final Patch Tuesday of the year is upon us, with Adobe and Microsoft each issuing security updates for their software once again. Redmond fixed problems with various flavors of WindowsMicrosoft Edge, Office, Exchange and its Malware Protection Engine. And of course Adobe’s got another security update available for its Flash Player software.

The December patch batch addresses more than 30 vulnerabilities in Windows and related software. As per usual, a huge chunk of the updates from Microsoft tackle security problems with the Web browsers built into Windows.

Also in the batch today is an out-of-band update that Microsoft first issued last week to fix a critical issue in its Malware Protection Engine, the component that drives the Windows Defender/Microsoft Security Essentials embedded in most modern versions of Windows, as well as Microsoft Endpoint Protection, and the Windows Intune Endpoint Protection anti-malware system.

Microsoft was reportedly made aware of the malware protection engine bug by the U.K.’s National Cyber Security Centre (NCSC), a division of the Government Communications Headquarters — the United Kingdom’s main intelligence and security agency. As spooky as that sounds, Microsoft said it is not aware of active attacks exploiting this flaw.

Microsoft said the flaw could be exploited via a booby-trapped file that gets scanned by the Windows anti-malware engine, such as an email or document. The issue is fixed in version 1.1.14405.2 of the engine. According to Microsoft, Windows users should already have the latest version because the anti-malware engine updates itself constantly. In any case, for detailed instructions on how to check whether your system has this update installed, see this link.

The Microsoft updates released today are available in one big batch from Windows Update, or automagically via Automatic Updates. If you don’t have Automatic Updates enabled, please visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

The newest Flash update from Adobe brings the player to v. on Windows, Macintosh, Linux and Chrome OS. Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

Tags: , ,


  1. Another great article

  2. “The Microsoft updates released today are available in one big batch from Windows Update, or automagically via Automatic Updates.”

    – automagically – is that a joke or a typo? 😉

    • It’s an old joke that has become quite commonly used.

      • An old joke that makes me want to slap whoever still uses it. I’m looking at you, Glen, the database guy in my office.

    • au·to·mag·ic·al·ly


      adverb informal
      adverb: automagically
      (especially in relation to the operation of a computer process) automatically and in a way that seems ingenious, inexplicable, or magical.

  3. There’s also an update for Adobe AIR, bringing it to v28.0.0.127.

  4. I’m pretty sure this update keeps giving me a “critical process died” error resulting in the BSoD. I’ve run system check and disk repairs but everything comes back ok until the update automatically starts.

  5. This update broke Chrome browser. I need to click 8 error messages away before it loads. Might be plugin related.

  6. Maybe someone can offer a tip on what is going on …

    Laptop w/W10 runs auto update w/o any problems.

    Desktop w/W7 Home Premium is another matter.

    1.Go to Control Panel – Windows Update
    Hourglass runs and runs. Needed Task Manager to stop it.
    2. Restart computer
    3. Go to Control Panel – Windows Update
    4. Click on Check for Updates
    5. Message comes up:
    Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer.
    6. Shut computer down, then start up.
    7. Repeat Steps 3 & 4
    8. Result as in Step 5

  7. You have to run the mrt command first, prior to updating. My Asus q551 makes me run Asus update prior to the mrt command. Different toys, different ways to play games with the end user.

    • Sorry for the ignorance, but what is the mrt command?
      Malicious software removal tool?

      BTW, the machine several years old and never had this problem before.

    • Ran the malicious software removal tool. It did not find anything.

      Then went to Control Panel -> Windows Update again.
      Same end result as before; hourglass for ever. Needed Task Manager to stop the hourglass.

  8. It broke the Scan to Email feature on all 7 of our Snapscan ix-500’s. It returns a 0x001a error, sending email failed. I also tried it from word, but haven’t used it in a while, so I’m not sure if related.

  9. I installed the patch last Tuesday night on a computer running Windows 7, but now the computer stalls just before log in. I cannot boot into safe mode either and all recovery disk options (such as system restore and return to last successful boot) have failed. There are no hardware failures.

    • At reboot from the patch, my drive letters are changed. Windows is now on drive E, instead of. I cannot boot. The Seven Forums solution did not work.

  10. It’s so ironic an funny that 30 years down the road, Micro$oft can’t STILL get their update act together. It’s astounding, actually, but it keeps us IT guys and computer geeks in business. It got so bad on our Dell PowerEdge servers that I created a scheduled task to reboot them the second Wednesday (Crash Wednesday) morning of every month before staff comes in. Seems to be saving quite a bit of worker down time, BTW. Speaking honestly, I also run Ubuntu 16.04, and Kali Linux on my personal computers and I can’t remember the last time that an update broke something. You’d think Micro$oft would take the hint…

  11. Microsoft also snuck in a fix for the DDE exploit that came out in October. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170021

  12. A security blog reporting a windows patch? Is Krebs supporting Windows as a main operating system even in light of all the key logging and microphone recording strategies these major companies are implementing to gather data and track users?

  13. This is amazing stuff. It has helped me permanently fix multiple Windows machines that suffered from the “never-ending Windows Update searching for updates” issue. Thanks for sharing this article.

  14. After this update, i am facing a problem with chrome browser. getting an error before chrome loading.