Microsoft today released a bevy of security updates to tackle more than 50 serious weaknesses in Windows, Internet Explorer/Edge, Microsoft Office and Adobe Flash Player, among other products. A good number of the patches issued today ship with Microsoft’s “critical” rating, meaning the problems they fix could be exploited remotely by miscreants or malware to seize complete control over vulnerable systems — with little or no help from users.
February’s Patch Tuesday batch includes fixes for at least 55 security holes. Some of the scarier bugs include vulnerabilities in Microsoft Outlook, Edge and Office that could let bad guys or bad code into your Windows system just by getting you to click on a booby trapped link, document or visit a compromised/hacked Web page.
As per usual, the SANS Internet Storm Center has a handy rundown on the individual flaws, neatly indexing them by severity rating, exploitability and whether the problems have been publicly disclosed or exploited.
One of the updates addresses a pair of serious vulnerabilities in Adobe Flash Player (which ships with the latest version of Internet Explorer/Edge). As KrebsOnSecurity warned last week, there are active attacks ongoing against these Flash vulnerabilities.
Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.
For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.
The latest standalone version of Flash that addresses these bugs is 18.104.22.168 for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
People running Adobe Reader or Acrobat also need to update, as Adobe has shipped new versions of these products that fix at least 39 security holes. Adobe Reader users should know there are alternative PDF readers that aren’t so bloated or full of security issues. Sumatra PDF is a good, lightweight alternative.
Experience any issues, glitches or problems installing these updates? Sound off about it in the comments below.