This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.
From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).
So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!
Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.
Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).
According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.”
If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.
Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.
At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.
To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.
Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.
We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
boot13