It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.
Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.
Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.
The new version of Flash is 18.104.22.168. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.
Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.
The latest Firefox includes fixes for at least twenty security vulnerabilities, and improves overall privacy and security by enabling Enhanced Tracking Protection by default.
When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.
New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.
The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.
Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to
It’s update time once again, and along with the updates from Microsoft and Adobe, I’m going to annoy you with yet another reminder that Only You Can Prevent Internet Worms. That sounds kind of gross, actually.
Analysis of the Security Update Guide spreadsheet, so thoughtfully provided by Microsoft each month, shows that this month there are thirty-three updates, addressing eighty-eight security vulnerabilities in Windows (7, 8.1, 10, and Server); Flash in Internet Explorer and Edge; Internet Explorer 9 through 11; Edge; and Office 2010, 2016, and 2019. At least twenty-one of the vulnerabilities are categorized as Critical.
If you missed last month’s update festivities, you may not be aware that there’s a very dangerous vulnerability (CVE-2019-0708) in Microsoft’s Remote Desktop feature in Windows XP, Windows 7, and Server 2008. Updates for Windows 7 and Windows Server 2008 computers are available in the usual way, via Windows Update. An update for Windows XP is also available, but you’ll have to download and install it manually, from the Microsoft Update Catalog.
I’m pestering you about this because the last time a vulnerability like this appeared, we got the global WannaCry worm mess. Patch those systems and prevent a similar worm from giving the world another major headache. Here’s Microsoft on the subject, as well as Ars Technica.
As usual, Adobe has released software updates to coincide with Microsoft’s Patch Tuesday, which makes things nice and tidy with Flash being integrated into IE and Edge. Flash 22.214.171.124 fixes a single security vulnerability.
There are a few ways to update Flash on Windows, but starting with the Flash Player Control Panel works for me. On the Flash CP’s Updates tab, you’ll find a Check Now button, which will take you to the Get Adobe Flash page. That will tell you which version you’re running. If you need an update, click the Player Download Center link on that page.
From Microsoft this month, we get forty-six updates, addressing seventy-nine distinct vulnerabilities in the usual gang of idiots, namely Windows, Office, Internet Explorer, Edge, .NET, Flash in Internet Explorer, and Visual Studio. Nineteen of the updates have been flagged with Critical severity. Head over to Microsoft’s Security Update Guide for more details.
Those of you running Windows 10 may actually be satisfied with its automatic updates, despite the problems. Either that or you’ve given up fighting Microsoft. And of course there are plenty of folks running Windows 7 and 8 with automatic updates enabled, in response to which I can only tip my hat and tell you that you’re braver than I. The rest of us will (or should) be making the trudge over to Windows Update today.
Microsoft dons a white hat
One of the updates made available by Microsoft today fixes a serious vulnerability (CVE-2019-0708) in older versions of Windows, including Windows 7, XP, and Server 2008. Despite the fact that official support for these versions has ended, Microsoft decided to make the world a slightly better place, taking the time to develop, test, and publish these updates. Which is good, because the hole being fixed is a bad one, in that it could provide a handy new conduit for malicious software worms to propagate… just like WannaCry did in 2017.
So, two things: first of all, thanks Microsoft! Second, if you run Windows 7 or Windows Server 2008 computers, please check Windows Update and install the May 2019 monthly security rollup as described on this Microsoft page. For any computers running Windows XP, you’ll have to download the appropriate update from the Microsoft Update Catalog, as decribed on this Microsoft page.
More about Microsoft’s unusual move
Adobe’s contribution this month consists of new versions of Flash and Acrobat Reader. Flash 126.96.36.199 addresses a single security vulnerability, while Acrobat Reader DC 2019.012.20034 addresses a whopping eighty-four vulnerabilities in earlier versions.
Reader will generally update itself, but you can make sure by navigating its menu to
Check for Updates.... The easiest way to update Flash is to look for it in the Windows Control Panel. Go to the
Updates tab of the Flash control panel widget and click
Check Now. This will take you indirectly to the download page for Flash. Make sure you opt out of any additional software offered for install on that page.
You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.
Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.
Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.
It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.
Flash 188.8.131.52 includes fixes for two vulnerabilities in earlier versions.
Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.
Shockwave Player 184.108.40.206 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.
There are links to download the new versions on all the release announcement pages linked to above.
Analysis of Microsoft’s Security Update Guide for February 2019 reveals that there are sixty-one distinct updates and corresponding articles in Microsoft’s support knowledge base.
At least seventy-seven vulnerabilities in Windows, Office, .NET, Internet Explorer, Edge, and Visual Studio are addressed by the updates. Twenty of the updates are flagged as Critical. Included in the updates is a new version of Flash for Internet Explorer and Edge.
As always, the easiest way to update Microsoft software is to use Windows Update, found in the Control Panel or System settings of your version of Windows.
Adobe once again adds to the patching load with new versions of Flash and Reader. Flash 220.127.116.11 addresses a single security vulnerability in earlier versions. The easiest way to check your Flash version and grab an update is to visit the Flash Help page.
Adobe Reader DC 2019.010.20091 includes fixes for at least seventy security bugs in earlier versions. Newer versions of Reader support auto-updates, but you can check for new versions by running Reader, and selecting
Check for Updates from its menu. If there’s a new version available, you’ll be prompted to install it.
It’s the second Tuesday of the month, so it’s once again time to play Patch Or Else, brought to you by Microsoft and Adobe.
It’s easy to get complacent about updating software: diligently installing updates as soon as they become available is an essential part of a good security strategy, and it means you’re less likely to fall afoul of malicious activity. But it also means that after a while you can lose sight of the risk of not staying up to date, and gradually become lax about installing updates. History is filled with stories of lost lessons; it’s apparently in our nature to forget what’s important when we aren’t reminded of the reasons for that importance.
Analysis of Microsoft’s Security Update Guide for the December 2018 updates reveals that this month we have sixty-seven distinct updates, half of which are flagged as having Critical severity. The updates address security issues in Adobe Flash (embedded in Internet Explorer and Edge), Internet Explorer, Edge, .NET, Office, Visual Studio, and Windows.
Update Windows and your other Microsoft software via Windows Update. In Windows 10, open the Start Menu and click on
Update & Security settings >
Windows Update. In older versions of Windows, you can find Windows Update in the Control Panel.
Presumably as part of the ongoing push for transparency in response to Windows 10 update problems earlier this year, Microsoft Corporate VP Michael Fortin posted an article, coinciding with this month’s updates, that explains some of the planning that goes into the monthly updates. Fortin points out that “During peak times, we update over 1,000 devices per second”.
Adobe’s contribution to the patch pile this month is a new version of Adobe Reader. The new Reader includes fixes for at least eighty-seven vulnerabilities, many having Critical severity. The release notes for Adobe Reader DC 2019.010.20064 provide additional details. Update Reader by pointing your browser to the Acrobat Reader Download Center.
Released on December 5th, the latest Flash addresses two security vulnerabilities in earlier versions. The security bulletin for Flash 18.104.22.168 provides additional details.
If you’re still using Flash, you should install the new version as soon as possible. If you use a web browser with a Flash plugin enabled, don’t wait: update now. If you’re not sure whether your browser has Flash enabled, visit the Flash Player Help page with that browser. The Help page will detect Flash in your browser, tell you which version is installed, and provide a download link for the latest version.
Web browsers that include their own embedded Flash will be updated via their usual channels: for Microsoft browsers, that means Windows Update. Chrome usually updates itself automatically, but you can trigger an update by navigating its menu to
About Google Chrome.
There’s another new version of Flash: 22.214.171.124. A single Critical security vulnerability is addressed in this version. The vulnerability, when exploited, can allow for arbitrary code execution.
If you’re using a web browser with Flash enabled, you should update it as soon as possible. If you’re not sure whether your browser is enabled for Flash content, head over to the Flash Player Help page. If Flash is installed and enabled in your browser, your Flash version will be shown.
You can install Flash by visiting the main Flash installer page. Make sure to disable all the optional installation checkboxes on that page, or you’ll get unwanted software along with Flash.
As usual, Google Chrome and Microsoft’s browsers, which have their own embedded Flash viewers, are updated separately. Chrome will update itself; Edge and Internet Explorer are updated via the Windows Update service.
This month, we have fifty-six updates from Microsoft. The updates fix security issues in .NET, Office, Internet Explorer, Edge, Microsoft Project, SharePoint, PowerShell, Skype, and Windows. Analysis of the Security Update Guide for this month shows that a total of sixty-three vulnerabilities are addressed by the updates. Twelve of the vulnerabilities are flagged as Critical.
Windows 10 computers will have relevant updates installed automatically over the next few days. Those of you running older versions of Windows that don’t have automatic updates enabled will need to use Windows Update (in the Windows Control Panel) to check for new updates.
Meanwhile, Adobe released new versions of Flash and Reader. Flash 126.96.36.199 addresses a single security vulnerability in earlier versions. Reader DC 2019.008.20081 fixes a single security bug in earlier versions. Adobe software will usually update itself, unless you’ve explicitly disabled its automatic update features.