Microsoft today released a bevy of security updates to tackle more than 50 serious weaknesses in Windows, Internet Explorer/Edge, Microsoft Office and Adobe Flash Player, among other products. A good number of the patches issued today ship with Microsoft’s “critical” rating, meaning the problems they fix could be exploited remotely by miscreants or malware to seize complete control over vulnerable systems — with little or no help from users.
February’s Patch Tuesday batch includes fixes for at least 55 security holes. Some of the scarier bugs include vulnerabilities in Microsoft Outlook, Edge and Office that could let bad guys or bad code into your Windows system just by getting you to click on a booby trapped link, document or visit a compromised/hacked Web page.
As per usual, the SANS Internet Storm Center has a handy rundown on the individual flaws, neatly indexing them by severity rating, exploitability and whether the problems have been publicly disclosed or exploited.
One of the updates addresses a pair of serious vulnerabilities in Adobe Flash Player (which ships with the latest version of Internet Explorer/Edge). As KrebsOnSecurity warned last week, there are active attacks ongoing against these Flash vulnerabilities.
Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.
For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.
The latest standalone version of Flash that addresses these bugs is 28.0.0.161 for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
People running Adobe Reader or Acrobat also need to update, as Adobe has shipped new versions of these products that fix at least 39 security holes. Adobe Reader users should know there are alternative PDF readers that aren’t so bloated or full of security issues. Sumatra PDF is a good, lightweight alternative.
Experience any issues, glitches or problems installing these updates? Sound off about it in the comments below.
“Adobe is phasing out Flash entirely by 2020.”
Hallelujah!
Amen!
Working at a federal agency in patch management is very difficult for this very reason. I desperately want to put a countdown clock to 2020 up somewhere but I’m afraid it would be misinterpreted.
@James H. — In case we manage to survive until 2020 anyway…
Any word on whether the January Patch Tuesday patches that were causing Blue Screens (BSODs) have been remedied in this or a re-release batch?
Have done as you suggested, i.e., stopped auto Windows updates for now. PLEASE LET US KNOW WHEN YOU THINK IT SAFE TO RETURN TO THE STATUS QUO
Regarding Sumatra PDF that is mentioned as Adobe Reader alternative – I too really like this feature rich and very lightweight program (not to mention it doubles as an ebook reader) but it hasn’t been updated for about 18 months now.
There are some alarming mentions of unpatched security vulnerabilities (maybe not in Sumatra itself but the underlying muPDF open source engine) in the Sumatra forums. The latest Sumatra 3.1.2 installer is dated 16 August 2016 and the latest muPDF is dated more than a year later – 13 December 2017.
I am not that tech/security savvy and I wondered what are other people’s opinions regarding that matter is and if Sumatra PDF is still secure to use ?
my first thinking was, go for another PDF reader that is less used (thereby less reviewed security wise) ?
and why mention only SumatraPDF?
Win7 user – Be careful before clicking ‘accept’. It appears that the KB 2952664 patch is back in list as ‘important’. Previously, this was the patch that backported the Win10 telemetry.
link
If anyone has more up to date info about KB 2952664, I’d appreciate it.
Just hide that one. They are just trying to get some telemetry on your machine. That update is related to CEIP which is an optional thing, so you don’t need it.
CEIP is Customer Experience Improvement Program or Active Telemetry. Mine was turned off but I found some task that were active. See here to disable those if they are active.
https://pubs.vmware.com/view-52/topic/com.vmware.view.administration.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html
The update forced itself on me early 2/14. Since, the operating system hasn’t worked and I look at a black screen after the colorful screensaver iceberg page.
Good job MS. My computer is certainly secure now anyway.
Good thing I have a backup laptop,
Same here. Update on log off last night. Black screen of nothing this morning. AMD A6 “Vision” with Win7… This makes only the second time I have had to start over from a system killing issue. Both times were from Microsoft updates.
If you don’t have any other options, you might want to keep trying to reboot. Used the hold down the power button forced shutdown and rebooted again and now it appears to be ok. Someone else reported that they had success after repeat reboot attempts too. Good luck. Sad that the biggest threat to my PCs over the years have been MS updates :/
Page said duplicate comment when I tried to reply. I had the same issue on AMD A6 “Vision” Win7 system. Was your system AMD or Intel? All I have is the black screen of death.
Seeing SEVERAL comments about Black Screens/bricked computers….
We run Win7, Intel. Going to HIDE the Feb Cumulative Update, just as we did with Jan.
We SERIOUSLY need to know when a Cumulative Update contains hidden Specter/Meltdown “killer patches” :(.
And the same here – black screen after patches applied and reboot on old Athlon Win7 desktop. Only the power button works to reboot. BIOS appears and then nothing. Tried restoring the MBR and boot partition – nothing. Tried rolling back to a restore point – all tries failed.
your comment is not clear
did you experience issues?
do you have any official information that feb patches will be pulled back?
i had the same problem, only with a little white box in top left that said Personalized Settings were not responding. i shut down and turned it back on manually a coupla times and it was the same. but the last time i used the windows button in the right bottom corner of the start screen to actually have the computer restart itself, and this time it started ok.
Same issue you described. After multiple reboots, tried and successfully logged in on my second user account which loaded personal details properly. Shut down and restarted; logged in to my own (normal) user account which worked properly. I’m a novice so didn’t understand most of the technical guidance found on Microsoft forum about deleting files and start-up routines. Guess I just got lucky.
2018-02 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4074588) – Error 0x80073715
So this is fun… Not! and not much help out there yet that I have found as to what the issue is or how to fix it…
“I am not that tech/security savvy and I wondered what are other people’s opinions regarding that matter is and if Sumatra PDF is still secure to use ?”
Is there such a thing as a “secure” media player/pdf viewer app?
Or just one that hasn’t been demonstrated with a POC as vulnerable?
“I had the same issue on AMD A6 “Vision” Win7 system.”
AFAIK issues tend to happen with these latest updates on systems with a hybrid of Intel and AMD video stacks. If you’re A6 ‘hybrid’ or ‘shared’ video that maybe could be it.
Uninstall all your graphics drivers, Nvidia and AMD and Intel.
ddu.exe
Put them back selectively at minimum config and see if that solves the issue. The drivers are maybe fighting in the Windows stack. It’s a sh!tshow right now.
It irks me to still find websites that sling Flash content.
I know that most of it is likely ad services that seem to allow any format of content for ads, but come on!!
Web site owners and operators need to get some stones and say no to Flash content regardless of its purpose or source. If they have an ad service engaged on their website, they need to put the hammer down on those miscreants regarding Flash content.
Flash needs to die as soon as possible, but it is also important that users do not get popups or warnings saying that content requires Flash to work… as soon as possible.
Stop the Flash content madness!!!
Just bought a new PC with Windows 10 after my faithful XP machine finally croaked. New PC… Fantastic. Then Microsoft updates the OS and the damn thing fails to boot. I see I’m not alone… Why do they think this disregard for other businesses is in any way acceptable?
The update was forced 2/14. Had trouble rebooting, only to discover that my (don’t laugh) Mcafee security suite was uninstalled. Why would a Windows update uninstall software that was purchased and installed by a user? Make no mistake, I know that this happened. Upon restart, the Windows Action Center opened automatically. All features was active. I did not do this myself. To use the current parlance, WTF?
I had this naive idea years ago that after a couple years worth of patching, that the attack surface would be reduced to the point where it is nearly negligible.
And this clearly has not happened – it just seems like every month there is something else, which results in lots of time wasted as I update multiple machines. In the meantime, people come up with security “scanning” tools that become ever more intrusive with more and more “false positives”, and also add to workload.
Part of me will be glad to see the end of flash, but realistically I will need to keep an old browser with flash around for various special things like VMWare, DRAC, etc.
I don’t know if this is tricky or if I’m dense. (Or both) I thought not enabling or installing Flash in any of my browsers – I implemented this more than a year ago – meant I was Flash-free.
Not so.
My browsers are, indeed, Flash-free, but some hardware vendors (e.g.: Brother printers, Samsung cell fones) persist in distributing related drivers and software that initially install a free-standing version of Flash. Specific to Samsung, the software relies on Flash.
Being Flash-free involves a heavier lift than merely purging Flash from browsers. (Though that’s not a bad start….)
KB4074588 causes display issues… My AMD threadripper system had them after the patch. My screen flickers on and off constantly. I was able to painstakingly log in after reboot, and roll back this shty update. The PC started working normally again. I Paused updates for a month to give me time to do important work. This is a production workstation and Microsoft has no problems just pushing patches without worry of consequences. I swear the day Adobe releases it’s software on Linux I’m dropping Microsoft like the useless company it has become.
Do you have an intel CPU? See my comment above.
microsofts site says that there is still some kind of need for the registry key , in you r experience is it still needed?
https://support.microsoft.com/en-us/help/4074588/windows-10-update-kb4074588
Since the Feb 18 set of updates to my W10 computer, my W7 machines does not display the W10 computer on local network.
The week of February 12th we had approximately 7 computers stop booting and enter the repair mode loop. We were unable to get any of those computers restored by repairing, refreshing, or restoring. The only solution was to do a fresh install of the OS. One of these computers was a brand new Lenovo P40 Yoga that I was just starting to set up. This system got all the way up to the installing windows updates and then went into the repairing the system loop. The only way to get that computer working again was to delete the drive partitions and do a fresh install of Windows 10.
In addition, we found that several computers had their keyboards and mice completely stop working. Those systems had to be remoted into and have the KB4074588 patch removed, which fixed the problem.
What has happened to Microsoft? This type of thing would happen on rare occasions but has now become SOP.
We had 60 out of 300 get black screen of death since feb 13th and the dism /revertpendingactions command will usually make it bootable, then start menu may be broken -fix with get-app foreach -disabledevelopermode powershell scripts you find discusses recently only After sfc scannow and sfc restorehealth succeed. Occasionally it kills domain trust and chrome. Also make 100% sure you disable windows update AND wmi services until further notice or hours later youll be black screened again!! I have m$ cases open and they know they messed up big but they dont have fixes yet. Worst ive seen in 20years. Shameful.
Rstrui.exe to system redtore oldest Point on the worst cases, then disable update and wmi services then sfc and dism restore health. If dism and sfc and get-app foreach dont work try blowing out all updates delete softwaredistribution folder etc etc then try restorehealth
This security update is really working for me, I personally feel that this security system is adorable which I found, while using this I got some system error which I resolve quickly by System Thread Exception this is a nice website too sort out your issue.
It seems KB4087256 and KB4074588 might be causing usb and usb hub problems. And since they are stability upgrades uninstalling them doesn’t work for some.
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-can-i-uninstall-kb4087256/126e3d8a-cbd0-4084-8051-ca79b7618066
https://www.reddit.com/r/sysadmin/comments/7zozve/windows_update_kb4074588_is_breaking_usb/
I was able to restore my system, but some of the 7256 files are still corrupted and those aren’t touched by sfc /scannow.
KB4074588 was one of those patches. However, it’s so buggy, and caused so many issues with win10 usb devices that many are removing it. I wonder if there’s anything critical in that update.
Microsoft cannot distribute good updates anymore. This company is clueless on what is important to end users. Stability does not apparently come to the minds of Windows team. They focus solely on new features and pushing out more crap nobody really wants. All the while ignoring problems monthly that inhibit production and basic functions. I would like to scream out, can we just get a stable basic OS here without all the crap?
Interesting reading! My 360 deg laptop now no longer works in tablet mode since the February updates. In the end I re-installed windows 10 as a clean install but tablet mode still won’t work. Any suggestions?
At a point that I don’t trust much Microsoft these days. Cannot even do Windows updates without issues. Edge browser is a failure, but Microsoft continues to try every which way to force you to use it. Like Windows 10S or nags about trying Edge, or some other means. Can’t go to a Microsoft site without the nag to try Edge. Guess Google does similar so this is not just a Microsoft thing. But with Chrome dominating browsers why does Google even have to promote Chrome? You got a small percentage that use IE/Edge, very few using other browsers and Firefox stagnant as well. I think I have re installed Windows 10 more then any other Windows since Windows 98. Seriously, I never had this much problems with XP or Vista and Windows 7 in my opinion was still way more stable then Windows 10. I have thought Windows 10 was like a bad work in progress that started off with a bad foundation. It should have become better with age, but it has not.