Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, including several flaws that were publicly detailed prior to today and one “zero-day” bug in Windows that is already being actively exploited by attackers.
As per usual, the bulk of the fixes from Microsoft tackle security weaknesses in the company’s Web browsers, Internet Explorer and Edge. Patches also are available for Windows, Office, Sharepoint, and the .NET Framework, among other components.
Of the 61 bugs fixed in this patch batch, 17 earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to break into Windows computers with little or no help from users.
The zero-day flaw, CVE-2018-8440, affects Microsoft operating systems from Windows 7 through Windows 10 and allows a program launched by a restricted Windows user to gain more powerful administrative access on the system. It was first publicized August 27 in a (now deleted) Twitter post that linked users to proof-of-concept code hosted on Github. Since then, security experts have spotted versions of the code being used in active attacks.
According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. The first, CVE-2018-8457, is a critical memory corruption issue that could be exploited through a malicious Web site or Office file. CVE-2018-8475 is a critical bug in most supported versions of Windows that can be used for nasty purposes by getting a user to view a specially crafted image file. The third previously disclosed flaw, CVE-2018-8409, is a somewhat less severe “denial-of-service” vulnerability.
Standard advice about Windows patches: Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Windows 10 likes to install patches and reboot your computer on its own schedule, and Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added peace of mind while you’re sitting there praying for the machine to reboot successfully after patching.
The sole non-Microsoft update pushed by Redmond today fixes a single vulnerability in Adobe Flash Player, CVE-2018-15967. Curiously, Adobe lists the severity of this information disclosure bug as “important,” while Microsoft considers it a more dangerous “critical” flaw.
Regardless, if you have Adobe Flash Player installed, it’s time to either update your browser and/or operating system, or else disable this problematic and insecure plugin. Windows Update should install the Flash Patch for IE/Edge users; the newest version of Google Chrome, which bundles Flash but prompts users to run Flash elements on a Web page by default, also includes the fix (although a complete Chrome shutdown and restart may be necessary before the fix is in).
Loyal readers here know full well where I stand on Flash: This is a dangerous, oft-exploited program that needs to be relegated to the dustbin of Internet history (for its part, Adobe has said it plans to retire Flash Player in 2020). Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items.
By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.
Administrators have the ability to change Flash Player’s behavior when running Internet Explorer on Windows 7 by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.
As always, please feel free to leave a note in the comments below if you experience any issues installing these fixes. Happy patching!
No infelicities this month updating Win 7 Pro 32- and 64-bit installations.
110% annecdote: historic guidance from Krebs on Security suggests downloading / installing .NET Framework updates separately, after successfully completing other updates. That continues to work well for me.
Having problems with Windows 7 64 bit roll up installing , it keeps failing but all other updates install without any issues
Like many others, I too was having problems installing KB4457144, but only on one of my laptops. All of my computers run Win 7 Pro 64 bit on Intel processors, so I was puzzled. I came across a workaround here. https://www.askwoody.com/2018/solution-for-the-error-0x8000fff-in-windows-7/#post-217241
Don’t know if it will work for you, but it did for me. I found that KB3177467 was missing on the unit that kept giving me the update error code, so I downloaded KB3177467 (64 bit version) from Microsoft and reran Windows Update. KB4457144 installed without a hitch.
For those having trouble getting Adobe Flash MSIs for corporate distribution from their official distribution page, these direct links work.
These are valid executables according to virustotal, both signed by adobe.
It is possible that someone went through the trouble of signing it with a similar name, but there appear to be past instances of this signature also without a single detection (Signature Thumbprint 2E419CCC647F94FE0DFC5460D0740B93D3572E54)
Very good advice about waiting a day or two before updating along with reliable backups. I have started following your advice plus that from askwoody(dot)com when it comes to updating. The saying ‘Unless there is a pressing need, don’t update’ works wonders me as I now have a Windows 10 machine beside others that I regularly use. MS has borked that machine once too often so deferment as become necessary.
Thanks for your great blog and all the information that you pass along.
This is a really great information for Adobe and Microsoft user because most of the people on earth use Microsoft or Adobe product, and here you describe that both of them release their security patch which is very important for everyone.
I switched to Linux and never looked back.
I would agree that every MS effort past Win7 is inferior to Linux — the user experience for Mint is more like Win7 than Win8, and it’s far more secure…..if you know how to configure it.
I’m all-in for Linux — Mint for where I’d have Windows PC, Qubes for where security is paramount, Ubuntu for servers/desktops that aren’t daily drivers (e.g. slicers for 3D printers), and Peppermint for old machines to hang a hard disk.
Raspberry Pi’s can be used as printservers or DNS servers — in an all-Linux setting, they can be shims.
Sadly the corporate world doesn’t follow your advice. Recently I’ve come across the need for a Windows 10 Enterprise laptop for controlling Windows 2012 servers remotely. I was doing this with Remmina on Ubuntu 16.04, but with the rollout of Ubuntu 18.04, they’ve stopped supporting L2TP/IPsec with a simple interface, and you have to set up strongswan among other services manually to get the same functionality.
Though I am a committed Linux user (with partial favor to Darwin), Windows 10 Enterprise is not that bad, and makes VPN setup and remote login a snap. The catch however to Windows Server 2012 as opposed to W10E, is that I’m hitting a brick wall trying to change the default server encryption ciphers for Phase 1 & 2 to match PCI compliance requirements while still being able to VPN in across several different devices sporting different versions/flavors of Windows, macOS, Android and iOS.
if you’re using flash and IE still, you should be hacked. I removed Java, Flash, and Silverlight from all my macs and PCs a year ago. no need to worry about updating them or getting hacked because of them.
Unfortunately depending on the websites a user visits it may still be necessary to keep Flash and/or Java installed.
There are still older legacy web applications out there that still rely on these two plugins because of the “if it ain’t broke, don’t fix it” mentality. Of course, browsers come with the feature to only enable the plugins to run with the user’s permission, so it is less risky to keep them installed.
Updating the installed versions of Flash and Java is simple enough anyway; just let their auto-updaters pick up the update or grab the installers yourself from their websites.
This time… …if all that is needed in order to corrupt the memory is viewing the wrong image and the attack is already used in the wild…
…is it really still advisable to wait another two days?
@IE Flash Lol:
Flash can be triggered from MS Word is it is set to click-and-pray otherwise. And the IE is still embedded as an OLE object in some places. These bugs can therefore hit users that think they are safe.
No problems updating Windows 10 Pro x64. Must have been less to update this time as the update also went faster.
I used to dual boot Windows with a boot manager. One Windows boot option was Windows Clean, the other was Windows working. I only booted the Clean version every couple of months to run Windows Update and then make a new image.
Finally a Windows Update hosed the boot manager. I fixed it from a backup but then switched to a Linux.
Adobe AIR has also been updated to v184.108.40.206 — if you don’t want the stub installer, here’s the Adobe distribution page to get the full installer file directly:
Never run Flash, totally avoid it. Any site that requires Flash is prioritizing their slothfulness over your security.
The largest hypervisor provider, VMWare, uses flash for their managment console. One of the larger storage providers, EMC, uses java for a lot of their management consoles.
There are plenty of reasons why these technologies are still in play that can not be avoided.
True, flash is required for some network management devices. However, the PCs which are used to manage from should have no Internet access and be isolated to just allow network management and nothing else other that remote access to them from trusted hosts. Those trusted hosts can have Internet, but no flash.
“The largest hypervisor provider, VMWare, uses flash for their managment console. One of the larger storage providers, EMC, uses java for a lot of their management consoles.
There are plenty of reasons why these technologies are still in play that can not be avoided.”
Money. Control. Greed.
It’s all a part of the big GAME! The illusion, the big show!
I won’t be a part of it. Open source or nothing at all. We must push for open source hardware as well.
Remote execution by viewing a webpage or image + elevation of privilege?
Futures for botnet stocks at at all time high, buy now!
On a more serious note, any machine that accesses the web/email should have the security updates applied immediately. In my environment I’m pushing desktop updates today, will wait to push server updates until next week.
Did KB4457128 load twice for anyone? It looks like it did on my PC and for some others:
Looks like Microsoft have revised the severity of CVE-2018-15967 in line with Adobe’s guidance. Their advisory now reads “Important”.
I don’t do windows updates it only updates MS. No problems in years.