March 13, 2018

Adobe and Microsoft each pushed critical security updates to their products today. Adobe’s got a new version of Flash Player available, and Microsoft released 14 updates covering more than 75 vulnerabilities, two of which were publicly disclosed prior to today’s patch release.

The Microsoft updates affect all supported Windows operating systems, as well as all supported versions of Internet Explorer/Edge, Office, Sharepoint and Exchange Server.

All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies, according to a post from security firm Qualys.

“It is recommended that these be prioritized for workstation-type devices,” wrote Jimmy Graham, director of product management at Qualys. “Any system that accesses the Internet via a browser should be patched.”

The Microsoft vulnerabilities that were publicly disclosed prior to today involve Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940) and ASP.NET Core 2.0 (CVE-2018-0808), said Chris Goettl at Ivanti. Microsoft says it has no evidence that attackers have exploited either flaw in active attacks online.

But Goettl says public disclosure means enough information was released publicly for an attacker to get a jump start or potentially to have access to proof-of-concept code making an exploit more likely. “Both of the disclosed vulnerabilities are rated as Important, so not as severe, but the risk of exploit is higher due to the disclosure,” Goettl said.

Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this awfully buggy program.

Just last month Adobe issued a Flash update to fix two vulnerabilities that were being used in active attacks in which merely tricking a victim into viewing a booby-trapped Web site or file could give attackers complete control over the vulnerable machine. It would be one thing if these zero-day flaws in Flash were rare, but this is hardly an isolated occurrence.

Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.

For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.

The latest standalone version of Flash that addresses these bugs is 29.0.0.113  for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.


50 thoughts on “Flash, Windows Users: It’s Time to Patch

  1. JimV

    There’s also an update for Adobe AIR, bringing it to v29.0.0.112 — slightly different than Flash at v29.0.0.113.

  2. Dean Marino

    PLEASE – provide info concerning any inclusions of deadly Specter/Meltdown patches buried in the latest “rollup” package.

    My Family will continue to avoid rollup patch packages until we KNOW that this stuff is not hiding within.

    1. James

      Dean, if you are cautious about installing Microsoft Updates ( you really should be) and want to know more about whats in each KB, then you should be visiting Woody Leonhard’s incredible website https://www.askwoody.com/about-woody/. He will tell you what’s in each KB and instruct you when it’s safe to install them with his “Defcon” rating system. I’d be lost without him.

  3. Muffin

    This question is off-topic, but I hope Brian will address it here or in a column. I just learned that Secunia PSI will not exist after 4/20/2018. Any suggestions on a replacement Personal Software Inspector?

  4. Steve

    Please be aware, KB2952664 was included in the ‘important’ patches. You might want to uncheck/hide it prior to installing the update.

  5. Viraj

    Sir,

    You have mentioned 14 updates.Surely they cover all versions of Windows.I have Windows 7 Home Basic and there are only 5 updates available.Is that adequate?

    Further,
    The Adobe Flash Player version shows to have reached the latest and yet when I press-“check your flash player version,I am told you don’t have it”.This happens all the time.My add on for Firefox 59 has been checked for always activate for 2 consecutive days.What could possibly be the reason for this message then?

    Thanks and Regards,

  6. Wayne

    QUESTION: I was thinking about moving from Chrome to Firefox, but I’d like to know if Flash updates for the latter are automatically downloaded (like Chrome and Edge), or do we have to do it manually, like in the old days?

    1. timeless

      I believe it’s a manual thing.

      Firefox doesn’t include Flash, and therefore it isn’t in a position to update it.

      If that’s your interest, I’d suggest using a different browser on the rare occasion that you need Flash.

      1. James Edward Lewis II

        Edge uses the copy of Flash Player built into Windows, and when Adobe stops supporting the Flash plugin, Edge will no longer be able to show Flash Player content; Chrome is bundled with Flash Player and updates it automatically, but browsers based on Chromium (like Opera) do not.

        That is, you need to update Flash manually for Firefox and Opera, but not for Chrome or Edge; still, even for the Firefox and Opera versions, Adobe does make an update notification service available.

  7. Rocky Smith

    i Have Seen in Some Website is it True – Adobe is Planning to put an End to Flash Player by the End of 2020

  8. Drone

    COMPUTERWORLD, Woody on Windows, Monday, 12 Mar. 2018:

    Turn Automatic Update off, temporarily, in anticipation of another round of pernicious patches

    January’s patches were horrible. February’s were a little better. Take a moment now to make sure you aren’t tossed in with the cannon fodder, and wait to see what tomorrow will bring…

    https://www.computerworld.com/article/3262625/microsoft-windows/turn-automatic-update-off-temporarily-in-anticipation-of-another-round-of-pernicious-patches.html

    1. SalSte

      Woody on Windows is a joke: his advice is essentially never install updates. Kind of irresponsible, but I have made a good amount of money from customers who took his advice and then got hit by a zero day of one sort or another so I shouldn’t complain too much.

      1. SalSte

        Rebuilding those computers that is, not infecting them lest someone think I’m one of the bad actors out there.

      2. Drone

        Yes, but Woody’s article includes links to instructions on how to make Windows LET YOU CHOOSE when and if you do a Windows update. That’s important, especially these days with so many bad updates coming from Microsoft.

      3. Woody Leonhard

        For the past eight years I’ve been studiously posting “Coast is clear” on the AskWoody — and now Computerworld — blogs when the patches are ready for prime time.

        With rare exception, I see no reason to install patches as soon as they’re rolled out the automatic update chute. And I see lots and lots of problems for those naive enough to install Microsoft’s patches as soon as they’re available.

        Folks need to install patches sooner or later, but it’s smart to give them a couple of weeks to age. This month we’re seeing a repeat of the same pattern that’s dogged us for many months – the Win7 Monthly Rollup and Word 2016 Security patches are dogs that break machines.

        1. JCitizen

          Glad to see you here Woody; your knowledge has been indispensable for years!

          Since I do help clients out of their PC woes, I usually go ahead and suffer the slings and arrows of their update problems by updating my lab machines, so I can figure out how to mitigate them or at least get them back to square one.

          I tell you that this 1709 Windows 10 update is the worse one I’ve had to wrestle with in years!

  9. Tdlsab

    Hello 2018-03 cumulative security updates for Windows 10 build 1709 error 0X80092004 since February patch. Please help.

  10. UseCaution

    Just a heads up: in a VMware ESXi 6 environment, all of our 2008 R2 guests rebooted with a deleted or hidden VM NIC1, which contained the guests static IP, and an additional VM NIC2, which had a new, DHCP IP address. The VM NIC1 doesn’t show up in Device Manager (show hidden devices) or the Network and Sharing Center. I restored 4 guests via Veeam as a result this morning.

    1. SecondUseCaution

      Alternate user with a slightly different environment than UseCaution with similar issue.

      From what I have been able to gather and from communication with VMware, something in the update appears to bump the virtual PCI bus which causes the vmnet3 and paravirtualization controllers to be reset. Secondary volume on alternate drive interface number comes up as offline when the system reboots due to default policy in 2k8r2. Have to re-configure the network interfaces and then online the drive. to prevent further issues with the volume being offline have to adjust a policy.
      See
      http://www.happysysadm.com/2010/11/disk-is-offline-because-of-policy-set.html

      -G

    2. Scott

      Similar environment (ESXi 6, 2008 R2 guests) without the issue that UseCaution mentioned. vmxnet3 NIC, no changes to settings or IP address during the 201803 update.

  11. Taylor

    Have a Dell laptop with Intel I5 processor running Windows 7. Update did its thing successfully and now the laptop won’t boot. Go to do a restore point and the only restore I have available is from the update yesterday.

    Any advice?

      1. Taylor

        Thanks for the reply. There weren’t any additional restore points. When checking that box nothing else appears. Just the one from the time I did the update. Luckily I finally got it booted up. Not very confident it won’t happen again though. Last update I did in January did the same thing but I had more restore points to go back to. It’s concerning that I am unable to do these critical updates. Guess its time to start making sure I have everything backed up just in case.

        1. Bob

          You might want to manually create a restore point prior to running Windows Update, which should give you a spare restore point to use in case this happens again.

  12. Dr Flu

    warning the windows 10 fall creators expires in April with the arrived of windows 10 spring creator, which if you upgrade to this build, then the setup automatic install mandatory cortana and the latest windows store between more features. Everything was justified because many amd chip users experience troublesoot with the latest cumulative security updates (ask of microsoft for mitigate the spectre and meltdown variants)

    1. JCitizen

      I have a feeling that unless you own a brand new enterprise model of CPU (Xeon for instance) – you will not see an update for meltdown/specter until Intel and AMD satisfy all their new customers that bought big server hardware lately. I wouldn’t hold my breath that the OEM can bring it forth either, unless you have a late generation i7 processor or AMD CPU. Even my clients with relatively new machines still have no update. If you have a fairly new UEFI firmware update, it may help mitigate it some, until a CPU update comes (If ever). Let face it, out of warranty, out of mind.

  13. Robert Clark

    This is a bit off topic, but has anyone looked at this website? It seems rather … sensationalistic to me … if true, it certainly puts a pall on the new AMD chips …

    https://amdflaws.com/

    Brian, can you look at this and see if any of it is true?

  14. Adnan Muklashy

    How can I download Adobe flash player to be able to play games on Hotmail

  15. Drone

    Micr$oft shoved their Tuesday update down my throat last night [about a day late]. This was the first update in a long time that went smoothly. Let’s hope there’s more than just luck at work this time.

  16. rick_flair

    Brian,
    I’m wondering if you can please suggest an alternative to Flexera PSI (formerly Secunia)..It seems the free home-use product is now EOL as of 20-Apr-18… I’ve used the auto-patching application for several years based on your recommendation.
    Would you please be able to recommend a suitable alternative?

    >>On April 20, 2018, existing installations of PSI will no longer function and should be uninstalled

    Thanks Rick

    1. Cog

      File Hippo is good, Belarc is great to save passwords and perform a kind of audit of your hardware and software. I like patchmypc for updating and uninstalling programs:

      https://patchmypc.net/download

    2. JCitizen

      It is called the “application manager” from File Hippo. Just thought I’d put that in here in case some one gets confused with the older name they gave it before.

      1. JimV

        I’ve used FH for some years, and while I rely on it telling me about a new update at every boot there are some updates for which I’ll make sure to download directly from the vendor so I can get the full installer files and not some stub installer which can include who-knows-whatever-else those behind the curtains want to push out…

        If you happen to use the Panda AV app however, you’ll want to whitelist the “filehippo.appspot.exe” executable (better yet, the entire program’s folder), as with every new version update its default settings consider it as a PUP (potentially unwanted program), and routinely quarantine it. Even if you catch that Panda has intercepted FH and toggle it to restore from quarantine before you’ve rebooted, you may have to reinstall to clean up whatever might have gotten farkled and regain its functionality.

  17. JCitizen

    Luckily no problems on Windows 7 this patch Tuesday; had a BUNCH of application updates too! For some reason Adobe didn’t auto update until after this article came out; but at least it did it automatically. I just didn’t have time to check for it immediately after KOS let us know.

  18. timeless

    @Brian:

    > Microsoft says it has no evidence that attackers have yet to exploit either flaw in active attacks online.

    This appears to be a double negative {no-evidence} {have-yet-to}…

  19. JimV

    FYI, there’s also an update of Shockwave to v12.3.2.202.

  20. Chris Emrich

    I’m getting a pop up for update but when I click on it, it comes on in Spanish. What is that?

  21. grace

    Re Flash, I’ve been trying to replace it on my Mac,
    but Firefox won’t play HTML5 Video Everywhere .
    Can anyone suggest anything else? Thanks!

Comments are closed.