Spring has sprung, and with it, a load of updates from Microsoft and Adobe.
This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.
The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.
Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.
As you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 220.127.116.11 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.
You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.
Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.
Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.
If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.
Adobe’s offering for this month’s patching fun is a new version of Flash Player: 18.104.22.168 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.
If you’re using a web browser with Flash enabled, you should install Flash 22.214.171.124 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.
A new version of Flash, released on March 13 by Adobe, fixes two security vulnerabilities as well as a few other bugs.
If you use a browser with Flash enabled, you should update it as soon as possible. Most browsers no longer play Flash content automatically, or at least have options to make Flash content play only when explicitly allowed. Still, it’s best to be up to date if you use Flash at all.
Internet Explorer and Edge will get their Flash updates via Windows Update, and Google Chrome will update itself on its own mysterious schedule. You can force the issue by visiting the main Flash download page, or the About Flash page, which will prompt you to update if you’re not running the latest version. Don’t forget to disable installation of any additional software, including McAfee security products.
You can find more details in the release announcement, release notes, and the associated security bulletin.
I count forty-seven separate bulletins in this month’s batch of updates, which means there are roughly that same number of updates. Over seventy security vulnerabilities in Windows, Internet Explorer, Edge, Office, and .NET are addressed in the updates. There’s a Flash update in there as well, for Edge and recent versions of Internet Explorer.
This month we also get more fixes for Spectre and Meltdown, including firmware updates for somewhat older processors (Skylake, Kaby Lake, and Coffee Lake). There’s still not much available for processors that are more than a few years old.
While Microsoft continues to push people to enable automatic updates, the more cautious among us (including myself) prefer to control what is updated and when. Windows 10 users still have effectively no control over Windows updates.
You can extract additional details for this month’s updates from Microsoft’s Security Update Guide.
Earlier today, Microsoft released forty-two updates to address fifty-four vulnerabilities in Windows, Internet Explorer, Edge, Flash, and Office software. Fourteen of the vulnerabilities are flagged as critical, and have the potential to be used for remote code execution.
This information was extracted from Microsoft’s Security Update Guide, the rather opaque reservoir into which Microsoft now dumps its update information. Of course Microsoft would be happier if we all just enabled auto-updates, and in fact the monthly patch bulletins are now little more than a link to the SUG and a recommendation to enable auto-updates.
As expected, Adobe has released a new version of Flash that addresses CVE-2018-4878 and another critical vulnerability, CVE-2018-4877. A new security bulletin (APSB18-03) provides additional details.
The new version was made available on February 6. The release notes show that at least one other bug was fixed in Flash 126.96.36.199.
Anyone still using a web browser with Flash enabled should make sure that it’s up to date. CVE-2018-4877 is already being actively exploited.
As usual, Chrome will update itself automatically, and Internet Explorer and Edge will get the new Flash via Windows Update.
On February 1, Adobe published a security advisory about a critical vulnerability (CVE-2018-4878) in Flash Player 188.8.131.52 and earlier versions. Successful exploitation could allow an attacker to take control of an affected system.
An exploit for CVE-2018-4878 already exists, and is being used in targeted attacks against Windows users. So far, attacks based on this vulnerability have been delivered via Office documents with malicious Flash content as email attachments.
Adobe plans to address this vulnerability next week. Meanwhile, use extreme caution when deciding whether to open email attachments, especially if they appear to be Office documents.
Flash is gradually disappearing from use, but it’s still used enough to make it a tempting target for malicious hackers.
Duo Security: No Patch Yet: Flash Vulnerability Exploited in the Wild
As usual, Adobe is tagging along with Microsoft this month, releasing a new version of Flash to coincide with Patch Tuesday. Flash 184.108.40.206 fixes a single security vulnerability in previous versions.
Google Chrome will get its new Flash automatically, and Microsoft browsers will get their Flash updates via Windows Update.
This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.
It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.
There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.
Back to our regularly-scheduled Patch Tuesday…
The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.
Adobe released a new version of Flash to coincide with yesterday’s Microsoft updates. Flash 220.127.116.11 fixes a few minor issues and one security vulnerability.
As usual, Chrome will update itself with the latest Flash, and Microsoft browsers will receive updates via Windows Update.
If you still use Flash, and in particular if you use a web browser that is configured to play Flash content, you should install the new version as soon as possible. Better still, stop using Flash altogether. Flash is being phased out in some browsers, including Firefox. Many web sites that formerly used Flash have switched to HTML5.