Last week, on Patch Tuesday, Adobe released a new version of Flash that addresses a single critical vulnerability in previous versions.
The security bulletin for Flash 126.96.36.1995 provides some additional context.
Anyone still using Flash, and in particular if Flash is enabled in Internet Explorer 11, Edge, or Google Chrome, should install the new version.
The easiest way to obtain the latest version of Flash is to go to the Get Flash page on the Adobe web site.
You’ll probably notice a warning at the top of the Get Flash page: “Important Reminder: Flash Player’s end of life is December 31st, 2020. Please see the Flash Player EOL Information page for more details.” That’s right, Flash is nearing the end of its troubled life.
Adobe plans to retire Flash at the end of 2020. After that, Adobe will no longer update or distribute Flash. They won’t fix security vulnerabilities, and you won’t be able to download it from Adobe’s web site. Adobe recommends removing Flash from all systems by the end of 2020.
Flash will live on, of course. But leaving Flash installed and enabled in browsers will become increasingly risky, as any new vulnerabilities will not be fixed by Adobe. If you must continute to use Flash for work-related activity, try to use it only as needed, and never to view content obtained from unverified Internet sources. Use a separate browser just for viewing Flash content if possible.
A new version of Flash was released by Adobe earlier this week.
Flash 188.8.131.527 fixes a single security vulnerability in earlier versions.
If you use Flash, and in particular if you use a web browser with Flash enabled, you should make sure you’re running the latest version.
The easiest way to determine whether you’re running Flash is to visit the Flash Player Help page on the Adobe web site. Click the
Check Now button to see the version your browser is running. Further down the page, there’s a small Flash demo that you can use to verify that Flash is installed and running in your browser. Your browser may also block Flash or prompt you to allow Flash to run.
Also on that page there’s a link to Download the latest version of Flash Player.
Adobe will stop supporting and updating Flash after December 31, 2020. At that point we’ll be recommending that everyone completely disable and/or remove Flash from all their computers, unless there’s some specific reason it’s still needed. And the world will be a much better place.
Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.
Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.
To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in
Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.
The latest version of Flash, 184.108.40.2060, fixes a single security vulnerability in earlier versions.
Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the
Updates tab, check the version and click the
Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big
Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.
Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.
Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to
Check for Updates...
It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.
Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.
Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.
The new version of Flash is 220.127.116.11. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.
Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.
The latest Firefox includes fixes for at least twenty security vulnerabilities, and improves overall privacy and security by enabling Enhanced Tracking Protection by default.
When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.
New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.
The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.
Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to
It’s update time once again, and along with the updates from Microsoft and Adobe, I’m going to annoy you with yet another reminder that Only You Can Prevent Internet Worms. That sounds kind of gross, actually.
Analysis of the Security Update Guide spreadsheet, so thoughtfully provided by Microsoft each month, shows that this month there are thirty-three updates, addressing eighty-eight security vulnerabilities in Windows (7, 8.1, 10, and Server); Flash in Internet Explorer and Edge; Internet Explorer 9 through 11; Edge; and Office 2010, 2016, and 2019. At least twenty-one of the vulnerabilities are categorized as Critical.
If you missed last month’s update festivities, you may not be aware that there’s a very dangerous vulnerability (CVE-2019-0708) in Microsoft’s Remote Desktop feature in Windows XP, Windows 7, and Server 2008. Updates for Windows 7 and Windows Server 2008 computers are available in the usual way, via Windows Update. An update for Windows XP is also available, but you’ll have to download and install it manually, from the Microsoft Update Catalog.
I’m pestering you about this because the last time a vulnerability like this appeared, we got the global WannaCry worm mess. Patch those systems and prevent a similar worm from giving the world another major headache. Here’s Microsoft on the subject, as well as Ars Technica.
As usual, Adobe has released software updates to coincide with Microsoft’s Patch Tuesday, which makes things nice and tidy with Flash being integrated into IE and Edge. Flash 18.104.22.168 fixes a single security vulnerability.
There are a few ways to update Flash on Windows, but starting with the Flash Player Control Panel works for me. On the Flash CP’s Updates tab, you’ll find a Check Now button, which will take you to the Get Adobe Flash page. That will tell you which version you’re running. If you need an update, click the Player Download Center link on that page.
From Microsoft this month, we get forty-six updates, addressing seventy-nine distinct vulnerabilities in the usual gang of idiots, namely Windows, Office, Internet Explorer, Edge, .NET, Flash in Internet Explorer, and Visual Studio. Nineteen of the updates have been flagged with Critical severity. Head over to Microsoft’s Security Update Guide for more details.
Those of you running Windows 10 may actually be satisfied with its automatic updates, despite the problems. Either that or you’ve given up fighting Microsoft. And of course there are plenty of folks running Windows 7 and 8 with automatic updates enabled, in response to which I can only tip my hat and tell you that you’re braver than I. The rest of us will (or should) be making the trudge over to Windows Update today.
Microsoft dons a white hat
One of the updates made available by Microsoft today fixes a serious vulnerability (CVE-2019-0708) in older versions of Windows, including Windows 7, XP, and Server 2008. Despite the fact that official support for these versions has ended, Microsoft decided to make the world a slightly better place, taking the time to develop, test, and publish these updates. Which is good, because the hole being fixed is a bad one, in that it could provide a handy new conduit for malicious software worms to propagate… just like WannaCry did in 2017.
So, two things: first of all, thanks Microsoft! Second, if you run Windows 7 or Windows Server 2008 computers, please check Windows Update and install the May 2019 monthly security rollup as described on this Microsoft page. For any computers running Windows XP, you’ll have to download the appropriate update from the Microsoft Update Catalog, as decribed on this Microsoft page.
More about Microsoft’s unusual move
Adobe’s contribution this month consists of new versions of Flash and Acrobat Reader. Flash 22.214.171.124 addresses a single security vulnerability, while Acrobat Reader DC 2019.012.20034 addresses a whopping eighty-four vulnerabilities in earlier versions.
Reader will generally update itself, but you can make sure by navigating its menu to
Check for Updates.... The easiest way to update Flash is to look for it in the Windows Control Panel. Go to the
Updates tab of the Flash control panel widget and click
Check Now. This will take you indirectly to the download page for Flash. Make sure you opt out of any additional software offered for install on that page.
You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.
Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.
Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.
It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.
Flash 126.96.36.199 includes fixes for two vulnerabilities in earlier versions.
Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.
Shockwave Player 188.8.131.52 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.
There are links to download the new versions on all the release announcement pages linked to above.
Analysis of Microsoft’s Security Update Guide for February 2019 reveals that there are sixty-one distinct updates and corresponding articles in Microsoft’s support knowledge base.
At least seventy-seven vulnerabilities in Windows, Office, .NET, Internet Explorer, Edge, and Visual Studio are addressed by the updates. Twenty of the updates are flagged as Critical. Included in the updates is a new version of Flash for Internet Explorer and Edge.
As always, the easiest way to update Microsoft software is to use Windows Update, found in the Control Panel or System settings of your version of Windows.
Adobe once again adds to the patching load with new versions of Flash and Reader. Flash 184.108.40.206 addresses a single security vulnerability in earlier versions. The easiest way to check your Flash version and grab an update is to visit the Flash Help page.
Adobe Reader DC 2019.010.20091 includes fixes for at least seventy security bugs in earlier versions. Newer versions of Reader support auto-updates, but you can check for new versions by running Reader, and selecting
Check for Updates from its menu. If there’s a new version available, you’ll be prompted to install it.
It’s the second Tuesday of the month, so it’s once again time to play Patch Or Else, brought to you by Microsoft and Adobe.
It’s easy to get complacent about updating software: diligently installing updates as soon as they become available is an essential part of a good security strategy, and it means you’re less likely to fall afoul of malicious activity. But it also means that after a while you can lose sight of the risk of not staying up to date, and gradually become lax about installing updates. History is filled with stories of lost lessons; it’s apparently in our nature to forget what’s important when we aren’t reminded of the reasons for that importance.
Analysis of Microsoft’s Security Update Guide for the December 2018 updates reveals that this month we have sixty-seven distinct updates, half of which are flagged as having Critical severity. The updates address security issues in Adobe Flash (embedded in Internet Explorer and Edge), Internet Explorer, Edge, .NET, Office, Visual Studio, and Windows.
Update Windows and your other Microsoft software via Windows Update. In Windows 10, open the Start Menu and click on
Update & Security settings >
Windows Update. In older versions of Windows, you can find Windows Update in the Control Panel.
Presumably as part of the ongoing push for transparency in response to Windows 10 update problems earlier this year, Microsoft Corporate VP Michael Fortin posted an article, coinciding with this month’s updates, that explains some of the planning that goes into the monthly updates. Fortin points out that “During peak times, we update over 1,000 devices per second”.
Adobe’s contribution to the patch pile this month is a new version of Adobe Reader. The new Reader includes fixes for at least eighty-seven vulnerabilities, many having Critical severity. The release notes for Adobe Reader DC 2019.010.20064 provide additional details. Update Reader by pointing your browser to the Acrobat Reader Download Center.