April 10, 2018

Adobe and Microsoft each released critical fixes for their products today, a.k.a “Patch Tuesday,” the second Tuesday of every month. Adobe updated its Flash Player program to resolve a half dozen critical security holes. Microsoft issued updates to correct at least 65 security vulnerabilities in Windows and associated software.

The Microsoft updates impact many core Windows components, including the built-in browsers Internet Explorer and Edge, as well as Office, the Microsoft Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure.

The Malware Protection Engine flaw is one that was publicly disclosed earlier this month, and one for which Redmond issued an out-of-band (outside of Patch Tuesday) update one week ago.

That flaw, discovered and reported by Google’s Project Zero program, is reportedly quite easy to exploit and impacts the malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.

Microsoft really wants users to install these updates as quickly as possible, but it might not be the worst idea to wait a few days before doing so: Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release. However, depending on which version of Windows you’re using it may be difficult to put off installing these patches.

Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. In any case, don’t put off installing these updates too long.

Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this buggy program.

Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Google Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.

For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.

The latest standalone version of Flash that addresses these bugs is 29.0.0.140  for Windows, MacLinux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

More information on today’s updates is available from security vendors Ivanti and Qualys.

As always, if you experience problems installing any of these updates, feel free to note your issues in the comments below. Chances are, another reader here has experienced something similar and can assist in troubleshooting the issue.


37 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. The Sunshine State

    Rather light on the security patches this month?

  2. Tim

    Has anyone received word if this includes the revised patch that undoes the havoc caused by the 2008 R2 03-2018 rollup?

    Word from MS was that the bug would be fixed with April rollout.

  3. Nikki

    Too little too late. My computer is ruined because Windows Defender did not stop a virus that apparently found a way to exploit the Microsoft Edge browser and replicate Adobe Flash Player.

    1. AndrewJ

      Anti-virus prevents some but not all viruses. You still need to practice safe computer behaviour such as Krebs’ “Tools for a Safer PC” (see link on right) to prevent yourself from being infected.

      Think of it like a car: it’s much better to have a new car with ABS, auto-braking, airbags etc but all those safety features don’t mean that you should drive without care.

      1. Nikki

        You are so right. Thank you for the tip. I am reading them as we speak.

    2. JellyToast

      Don’t use MS browsers. They are too embedded into the OS. Also use an ad blocker like uBlock origin and flash blocking extensions.

    3. Steve C#

      From your posting you sound like novice. No disrespect intended.

      1) Do not use Edge, use Chrome, Firefox or Opera instead.
      2) It you must use a Microsoft browser on a Microsoft website use IE
      3) You need a serious, professional grade anti-virus application, Windows Defender does not meet the requirements

      1. Mike

        It’s mostly the same post every month, with a couple areas changed or updated to be specific to the month.

  4. Catwhisperer

    Sadly, in a corporate environment, Microsoft updates cause lots of headaches. I.e. Windows Server 2012, last Patch Tuesday in March, something was updated that introduced a bug in DHCP that causes most Apple devices (iPhones, iPads, and MacBooks) to not correctly get an address when coming into the building. They get stuck in the 192.168/8 address space, rather than in the corporate 10.1/8 address space. Since that last update, I’ve had to do the workaround of reserving address leases, and having the users cycling WIFI on those Apple devices to get the devices connected, among other workarounds.

    What’s really sad is that I have been around Windows since the days of WIN386, and THEY STILL DON’T HAVE THEIR $H!T together with updates. It’s the primary reason I go with Linux whenever possible… Linux updates never break the machine, at least in my experience so far. But I’m sure there are exceptions to that rule also.

  5. Carol Becker

    Installed update today 9:30 p.m. now can’t access computer get message on Startup user profile not found. Then underneath it says okay I click okay and it logs off. Then it comes back with the same thing for my startup picture I click on my kitty cat picture and again it says user profile not found and under that it says okay and I click on that and we start the loop over again. I have tried restore point and that hasn’t had fixed it don’t know what to do next this is a Windows 7 Professional.

    1. KrebsReader6000000

      Carol Becker, The same thing is happening with my windows 7 customers. This is the third month in a row for Win 7 customers getting bricked by MS updates. I wonder if the rumors are true about MS sabotaging Win 7 customers jto get them to buy Win 10 and office 365. I have now turned off auto updates for all of my win 7 customers.

      1. Zach

        I’ve been running Windows 7 for the past 6 years and I haven’t had a single update issue. I wonder why only some systems are effected in a negative way during updates and others operate just as intended.

        1. SalSte

          The main reason for patches breaking systems in my experience is third-party software. I’ve had to recover plenty of computers from update crashes thanks to poorly written third-party software that adds files into Windows system files or rely on a specific version of a piece of software, like .Net. When the OS is upgraded, the background services for the software can break and prevent the OS from even booting.

          Older operating systems like Windows 7 also aren’t as good at clearing out older versions of system files and out of date updates so there’s just a higher degree of instability.

          1. KFritz

            Do you have a ‘worst offenders’ list for third party software?

            1. Shawn Steward

              I’ve seen so many different applications cause issues with patches. Some of the most common are out of date hardware drivers that create a service in order to run (trackpads and audio are common), antivirus, and several types of accounting and design software that are more common in a business environment.

    2. David

      I just had to deal with this problem with my Windows 7 computer. What worked for me was to create another user profile and then repair the other user profile I could not log in to. Detailed instructions from Microsoft are at: https://support.microsoft.com/en-us/help/947215/you-receive-a-the-user-profile-service-failed-the-logon-error-message
      I used Method 1 to repair the user profile and I was able to log back in again. Warning: Method 1 involves working with the registry, so the standard precautions apply, but if you’re comfortable working with the registry, this may solve your issue.

      1. hammertime

        Same situation here Win7Pro x64 and fixed it with the steps in the article you linked. However, I also found my little 128GB SSD was <10GB free space at the time so I wonder if that is what caused my profile issue, or the updates that were coincidental?

        1. CP

          My PC has a very small SSD and when it gets below 10% remaining space it goes haywire.

  6. Wayne

    I was told that Tuesday was supposed to be the Spring Creators’ Update, but nothing has happened. I haven’t seen any blogs say if it was cancelled and why.

    1. Mike

      The twice-yearly updates are always on a “slow-roll”. They take 8-12 weeks before everyone will get them, and your computer will have to pass all the validations before you even see it (all drivers up to date & compatible, etc). I wouldn’t want to get it this quick, it’s been a 50/50 shot whether it will be good, or wreck your machine.

  7. Hennz

    I do not but KB4099989 but Windows 10 build 1709 Will continue show me with error 80092004. Vestido I must wait the 1803 spring crearle and avoid this patch?

  8. DLivesInTexas

    It is increasingly obvious that following Microsoft’s advice on patching is foolish and likely more detrimental than helpful.

    AskWoody.com, a site run by long-time expert Woody Leonhard, has some refreshingly honest advice about how to safely maintain all versions of Windows.

    The site includes invaluable input from Susan Bradley, an expert in real-world Windows patching.

    It is definitely a technology site, but it does offer some simple advice on how to handle the Windows update mess.

    1. SalSte

      Good old AskWoody. The guy who all but tells you to just disable Windows Updates entirely….

    2. KFritz

      As of 2pm West Coast time, April 14, ‘good old Woody’s site hasn’t updated the review list for the April 9 updates. Only for April 3.

  9. Eric

    The thing I don’t like is how MS just pushes the thing down in the middle of the night and reboots. Whatever work you were in the middle of – well that’s gone, and you get to try and pick up the pieces in the morning.

    They seem to incorrectly assume that everyone is either using Office or a browser of some sort, and that those tools will preserve settings in some fashion or another. But if you are using something else (such as a command window), well too bad.

    1. trefunny

      maybe use Linux instead if you are doing work like that ( I assume calculations or something that runs for days/weeks/months?).

  10. Debbie Kearns

    As you know, I installed the update, but now, when I try to shut down my computer, the screen is stuck on “Shutting down” for 30 minutes. I figured it has something to do with the update, huh?

  11. grace

    Re Flash, I’ve been trying to replace it on my Mac,
    but Firefox won’t play HTML5 Video Everywhere .
    Can anyone suggest anything else? Thanks!

  12. pt

    Applied the updates (simultaneously — very stoopid) to a pair of Server 2008 R2 instances running under VMWare Workstation. Both now bluescreen on startup with STOP 0x7E. Thanks MS; these are vital for my job.

    1. SalSte

      VMWare Workstation is built more for development purposes, not for running production or mission critical virtual machines. You may be better suited to using a level one (bare metal) hypervisor than one that runs inside of another operating system.

  13. John

    Windows 7 is a mess with updates worse then Windows 10. I moved beyond Win 7 as it became clear Microsoft is not focused on Win 7 anymore. Kudos’s to anyone willing to move past Windows for a OS although I seriously doubt many will try. For most users you deal with what you have in a OS installed when you buy a PC. For many that’s Windows. I’ve dealt with Windows since 3.11 and believe me much of this stuff isn’t even close to the issues back with 3.11, Win 95 and Win 98.

    1. v1adimir

      You’re right about that. Today users are (literally) simply one click away from completely wrecking their lives. Bank and credit card information, is but one thing. All of the documents, all of the data, accessible through various (software) integration from any part of the system, as long as there’s a network connection. Just when you think that it couldn’t get any worse, we get Adobe Flash integration… I guess that they may be looking at it as “job creation” (& for the police, too), LOL xD

  14. v1adimir

    An absolutely *terrible* idea, to integrate Adobe Flash into the OS; just like with the MHTML web engine (Internet Explorer and Windows)., so that they can sell things and push ’em onto users. What was (so) wrong about installing a PDF reader, nothing (at all).

Comments are closed.