Category Archives: Adobe

Patch Tuesday for January 2021

There’s no stopping the juggernaut of monthly updates coming from our pals in Redmond.

This month’s load of updates, based on analysis of the new, ‘improved’ Security Update Guide, shows that we have updates for Edge, Office (2010, 2013, 2016, and 2019), Sharepoint, SQL Server, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, and 2019), addressing eighty-three security vulnerabilities in all.

There’s a summary of this month’s updates linked from the SUG, but as usual, it’s bafflingly incomplete.

Windows 8.1 computers can get this month’s updates via Windows Update in the Control Panel. Windows 10 computers will get the updates over the next few days, unless they’ve been configured to delay updates temporarily. Windows 7 users are still basically out of luck.

Flash is DEAD

Adobe’s kill switch for Flash went into effect as scheduled yesterday. Any Flash media you try to view from now on will show a placeholder image, which links to the End Of Life announcement for Flash.

That includes any Flash media you have lying around on your computer. For example, I found the Flash test animation on my main computer and uploaded it to my web server, where until January 12, it worked perfectly. That same Flash animation used to show on the main Flash help page, but of course that page now shows the placeholder as well.

And so ends the long, exasperating, security nightmare that was Flash. Good riddance.

Adobe Reader update, Flash ‘kill switch’

Adobe logoEarlier this week, Adobe released new versions of its Acrobat/Reader product line, to address a lone security vulnerability in earlier versions.

The new version of Acrobat Reader DC, which is the free — and widely used — version of Acrobat, is 2020.013.20074.

Recent versions of Acrobat and Reader usually manage to update themselves, but if you use either of them for viewing PDF files from untrusted sources, you should make sure you’re running the latest version. In Acrobat Reader DC, navigate its menu to Help > Check for Updates... If a newer version is available, you’ll see an option to install it.

Flash ‘Kill Switch’

We expected Adobe to show warnings in Flash after its development and support end in January 2021. Now comes news that Adobe is taking the rather drastic step of preventing Flash content from playing at all after January 12.

It’s not clear whether it will be possible to override this behaviour, so anyone who still relies on being able to play Flash content after January 12 should be looking into alternatives.

Adobe Reader update

Adobe logoLast week Adobe released new versions of its Acrobat and Reader products, to address fourteen security vulnerabilities in earlier versions.

In the Adobe product lineup, Acrobat is the commercial PDF builder, while Reader is the free PDF viewer. At one time you pretty much needed to have Reader installed to view PDF files, but these days PDF viewer functionality is increasingly built into operating systems and web browsers.

The new version of Reader — officially referred to as Acrobat Reader DC — is 2020.013.20064. Details are available in the related Adobe Security Bulletin.

All of Adobe’s Acrobat/Reader products update themselves by default, and there’s apparently no simple way to disable that feature. Still, if you have Reader installed, and you use it to view PDF files obtained from email or the web, it’s a good idea to make sure it’s up to date.

To check for updates, start Reader and navigate its menu to Help > Check for Updates... If there’s a newer version available, you’ll be prompted to install it.

Flash update and upcoming retirement

Last week, on Patch Tuesday, Adobe released a new version of Flash that addresses a single critical vulnerability in previous versions.

The security bulletin for Flash 32.0.0.445 provides some additional context.

Anyone still using Flash, and in particular if Flash is enabled in Internet Explorer 11, Edge, or Google Chrome, should install the new version.

The easiest way to obtain the latest version of Flash is to go to the Get Flash page on the Adobe web site.

You’ll probably notice a warning at the top of the Get Flash page: “Important Reminder: Flash Player’s end of life is December 31st, 2020. Please see the Flash Player EOL Information page for more details.” That’s right, Flash is nearing the end of its troubled life.

Adobe plans to retire Flash at the end of 2020. After that, Adobe will no longer update or distribute Flash. They won’t fix security vulnerabilities, and you won’t be able to download it from Adobe’s web site. Adobe recommends removing Flash from all systems by the end of 2020.

Flash will live on, of course. But leaving Flash installed and enabled in browsers will become increasingly risky, as any new vulnerabilities will not be fixed by Adobe. If you must continute to use Flash for work-related activity, try to use it only as needed, and never to view content obtained from unverified Internet sources. Use a separate browser just for viewing Flash content if possible.

Adobe Reader security fixes

Adobe logoEarlier this week Adobe released new versions of its Acrobat/Reader product line, to fix a series of security vulnerabilities in earlier versions.

There are at least eight variants of Adobe Acrobat and its free counterpart, Reader, which can be confusing. Mitigating this potential confusion is the fact that the huge majority of people who have one of these products installed are using the free Acrobat Reader DC.

The release notes associated with this set of updates reveals that the new versions address at least twenty-six security vulnerabilities in earlier versions. Many of the vulnerabilities are flagged as Critical. The updated version of Acrobat Reader DC is 2020.012.20041.

With default settings, recent versions of Reader will update themselves, on a schedule determined by Adobe, within a few days of a new version’s release. Although it’s possible to override this default behaviour, doing so requires installation of an additional tool or editing the Windows registry directly.

If you’d like to check the version of Reader you’re using, navigate Reader’s menu to Help > About Adobe Acrobat Reader DC. To check for updates and install the latest version, go to Help > Check For Updates...

Adobe Flash 32.0.0.387

A new version of Flash was released by Adobe earlier this week.

Flash 32.0.0.387 fixes a single security vulnerability in earlier versions.

If you use Flash, and in particular if you use a web browser with Flash enabled, you should make sure you’re running the latest version.

The easiest way to determine whether you’re running Flash is to visit the Flash Player Help page on the Adobe web site. Click the Check Now button to see the version your browser is running. Further down the page, there’s a small Flash demo that you can use to verify that Flash is installed and running in your browser. Your browser may also block Flash or prompt you to allow Flash to run.

Also on that page there’s a link to Download the latest version of Flash Player.

Adobe will stop supporting and updating Flash after December 31, 2020. At that point we’ll be recommending that everyone completely disable and/or remove Flash from all their computers, unless there’s some specific reason it’s still needed. And the world will be a much better place.

Patch Tuesday for May 2020

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Adobe Acrobat Reader DC 20.006.20042

Adobe logoA new version of Adobe’s free PDF document viewer, Acrobat Reader DC, was released on March 17.

According to the release announcement, Reader 20.006.20042 addresses thirteen security vulnerabilities in earlier versions. Many of these bugs were detected and reported by third-party researchers, who are credited in the announcement.

If you use Reader, and particularly if you use it to open PDF files you obtain from email and the web, you should make sure it’s up to date.

Newer versions of Reader typically update themselves when they detect new versions, but since it’s not clear what triggers these updates, you might want to check your version and update it yourself.

Check the version of your Reader by navigating its menu to Help > About Adobe Acrobat Reader DC... If you’re not running the latest version, update it via Help > Check for Updates...

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...

Patch Tuesday for December 2019

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.