Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.
Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.
It’s a relatively light month for Microsoft patches: only eleven this time. The updates address security issues in the usual suspects, namely Windows, Internet Explorer, Edge, Office, and the Flash code that’s embedded in IE 10, IE 11, and Edge. Six of the updates are flagged as Critical. A total of fifty vulnerabilities are addressed.
Adobe joins in the fun again this month, with updates for Flash and Reader/Acrobat. The Flash update fixes a whopping fifty-two vulnerabilities, while the Reader update fixes thirty vulnerabilities. Update: an announcement for the Flash update appeared on July 14th, despite being dated July 12th.
Update 2016Jul17:Ars Technica points out that one of the Microsoft updates addresses a critical security hole in a Windows printer driver installation mechanism that dates back to Windows 95. The vulnerability was not actually closed by the update; instead, a warning was added to the driver installation process.
Earlier this week, Adobe announced that they would delay this month’s Flash update for a few days, which would allow them to include a fix for a critical vulnerability (CVE-2016-4171) that’s being actively exploited on the web.
Yesterday Adobe released Flash 22.0.0.192, which addresses CVE-2016-4171 and thirty-five other vulnerabilities. Anyone who uses Flash should install the new version as soon as possible, but those of us who still use Flash in a web browser need to check their version and update immediately.
Recent versions of Internet Explorer and Edge will get the new version of Flash via Windows Update. Microsoft issued a related bulletin yesterday.
Chrome’s embedded Flash will be updated via its own internal updater. You can trigger the update by clicking the ‘hamburger’ menu button at the top right, then clicking Help and About Google Chrome.
It’s that time again, folks. This month Microsoft has sixteen updates, which address forty-four vulnerabilities in the usual culprits: Windows, Internet Explorer, Office, and Edge. Five of the updates are flagged as Critical.
Adobe issued an alert earlier today, saying that they have identified a vulnerability in Flash that is being actively exploited. There’s no update as yet, but they expect to have one ready by June 16. I imagine that Adobe was planning to release a Flash update today to coincide with Microsoft’s updates, but this new threat messed up their timing.
The Flash zero-day vulnerability we reported a couple of days ago has been fixed. Anyone who uses Flash in a web browser should make sure they’re running version 21.0.0.242.
As usual, Internet Explorer in Windows 8.1 and 10 will receive the new version via Windows Update, and Google Chrome will update itself automatically.
Maybe the Flash developers didn’t make the deadline for Patch Tuesday, so they felt left out. Anyway, according to a security advisory published today, Adobe is working on an emergency update for Flash, to address one specific vulnerability, CVE-2016-4117.
That vulnerability is so new, it doesn’t appear in the vulnerability databases. Adobe refers to it as critical, and indeed, exploits have already been observed in the wild (which makes this a good example of a zero-day vulnerability). Adobe expects to publish a new version of Flash that addresses this vulnerability as early as May 12.
Interestingly, the advisory states that the vulnerability exists in Adobe Flash Player 21.0.0.226 and earlier, while the most recent published versions are 21.0.0.213 and 21.0.0.216. Now I’m thinking that Adobe delayed the Flash update scheduled for Patch Tuesday (which presumably would have been version 21.0.0.226) to give them time to fix CVE-2016-4117.
This month, besides the usual pile ‘o patches from Microsoft, we have updates for Adobe Reader/Acrobat, but (big surprise) not for Flash.
There are sixteen Microsoft updates, addressing thirty-seven vulnerabilities in Windows, Internet Explorer, Office, Edge, and .NET. There’s also Microsoft Security Advisory 3155527. At least one of the vulnerabilities (CVE-2016-0189) is being actively exploited. This flaw could allow an attacker to execute malicious code if an unpatched computer visits a malicious or compromised web site.
The Adobe Reader update addresses over ninety vulnerabilities, which must set some kind of record. And not the good kind. If you use Reader in any context, you should update it to address these critical security issues.
At some point in March, Adobe released a new version of Shockwave, 12.2.4.194. The release notes are light on details, saying only that the version includes “Deprecation of SHA-1 certificates in the Shockwave installer.”
SHA-1 is no longer considered secure, so this is a security update, and anyone who uses a web browser with Shockwave enabled should install the latest version as soon as possible. Note that the Shockwave plugin sometimes appears in browsers as Shockwave for Director.
Earlier this week Adobe issued a security alert about a Flash vulnerability that was (and still is) being actively exploited on the web. As expected, that vulnerability has been fixed in a new version of Flash. In all, twenty-four security vulnerabilities are addressed in Flash 21.0.0.213.
If you use a web browser with Flash enabled, you should install the new version as soon as possible. You can find out whether Flash is enabled in your browser by visiting Check-And-Secure.
As usual, Chrome will update itself with the new Flash, and Internet Explorer and Edge running on newer versions of Windows will get the new Flash via Windows Update.
According to a security bulletin published yesterday by Adobe, all versions of Flash older than 21.0.0.182 running on Windows are vulnerable. The specific vulnerability involved — designated CVE-2016-1019 — is flagged as Critical, and could allow an attacker to crash or take over control of targeted Windows systems.
Adobe says that Flash 21.0.0.182 contains a mitigation that protects it from this vulnerability, so if you use Flash, and you’re not already running 21.0.0.182 or newer, you should install it ASAP.
Adobe is working on a more comprehensive fix for this vulnerability and plans to release another new version of Flash in the next day or so.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13