Category Archives: Flash

Patch Tuesday for December

Today, Microsoft published twenty-four updates, addressing thirty-three vulnerabilities in Flash player (for Microsoft browsers), Office, Internet Explorer, Edge, and Windows.

As usual, Microsoft’s announcement is little more than a pointer to the Security Update Guide (SUG). If you’re looking for details about any of these updates, that’s your only official option. The SUG’s user interface is somewhat headache-inducing, but there’s useful information to be had there.

Windows 10 gets these updates whether you want them or not; Windows 7 and 8.1 can be configured for automatic or manual updates. I personally don’t like the idea of updates being installed on my computers at Microsoft’s whim, so I’m sticking with manual updates. And avoiding Windows 10 completely. And gradually switching to Linux.

November updates for Adobe products

Adobe logoYesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.

Flash 27.0.0.187 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.

Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.

Shockwave Player 12.3.1.201 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.

If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.

Patch Tuesday for November 2017

According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.

My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.

If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.

Flash 27.0.0.170 fixes one security issue

Adobe logoAnd just like that, we get another version of Flash, this one addressing a single security vulnerability. From the security bulletin: “Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.”

Anyone still using Flash in their web browser should install the new version as soon as possible. You can check which version you’re running and download the new one at the Flash version checker and download page.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

No security fixes in latest Flash: 27.0.0.159

Adobe logoA new version of Flash includes a few bug fixes and other functionality changes, but no security fixes. Still, you’ll most likely need to update Flash in your browser to view Flash content.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

Patch Tuesday for September 2017

This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.

The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.

Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.

As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 27.0.0.130 addresses two critical vulnerabilities in previous versions.

Patch Tuesday for August 2017

It’s once again time for the monthly headache otherwise known as Patch Tuesday.

As you’re no doubt aware from my previous whining, Microsoft no longer publishes a bulletin for each update, and finding useful information in the Security Update Guide is awkward at best. It feels like Microsoft is trying to get everyone to just give up and enable auto-update. Of course with Windows 10 you no longer have a choice: you get updates when Microsoft wants you to have them. Which is one of the reasons I don’t use that particular O/S.

From my analysis of the Security Update Guide‘s entries for August 2017, it appears that we have thirty-nine updates, addressing fifty-three vulnerabilities in Internet Explorer, Edge, Windows, SharePoint, Adobe Flash Player, and SQL Server. Eighteen of the updates are flagged as Critical. Time to fire up Windows Update on all your Windows 8.1 and Windows 7 computers.

Adobe released updates for Flash and Reader today. The Reader update (Reader DC/Continuous: 2017.012.20093; Reader 2017: 2017.011.30059; Reader DC/Classic: 2015.006.30352) addresses sixty-seven vulnerabilities. The Flash update (version 26.0.0.151) addresses two vulnerabilities. Anyone still using Flash or Reader, especially as web browser plugins, should install the new versions as soon as possible.

Flash will plague us no longer… after 2020

Flash was a useful gadget at one time. Used by everyone to play animation, games, and other multimedia content, it was on almost every Windows PC and many mobile devices.

At some point, unknown persons took it upon themselves to determine whether this ubiquitous chunk of software had any weaknesses. And boy, were they rewarded. Flash has, at times, seemed like a bottomless well of security vulnerabilities. No sooner was one hole closed, than another was revealed.

Adobe's efforts to fix Flash

In hindsight, one wonders whether Adobe could have saved Flash with a major, security-focused rewrite. But that’s not what happened. Instead, Adobe kept up the little Dutch boy act, plugging each hole as it was discovered. During this time, Adobe’s updates to Flash sometimes seemed to create more problems than they solved.

Which brings us to the present. The major web browsers have either already dumped support for Flash, or are in the process of doing so. According to Adobe, Flash is still scheduled for its trip behind the woodshed in 2020. Prior to its final exit, Flash will gradually disappear from most of its remaining hiding places.

What remains of Flash will exist in systems that are not easily updated: A/V and advertising kiosks, PCs in business and industry running old versions of Windows, and a few dying phones.

That just leaves one question: what’s the next piece of software that will drive us crazy with terrible security and endless updates?

Peter Bright is a bit sad about the impending demise of Flash.

Brian Krebs provides some additional details.

Flash 25.0.0.171

Adobe’s software updates for April include Flash 25.0.0.171, which fixes seven security issues in previous versions. If Flash is enabled in your web browser, you should visit the official Flash About page to check its version and update if it’s not current.

As usual, Chrome will update itself with the latest Flash, and Internet Explorer and Edge get their new Flash via Windows Update.

Patch Tuesday for May 2017

Well, I was right. The announcement for May’s Patch Tuesday has almost exactly the same wording as last month’s. That’s because neither contains any useful information. No, it’s back to the new Security Update Guide, at least if you want to know what Microsoft wants to do to your computer this month.

According to my analysis of this month’s update information in the SUG, there are fifty distinct bulletins, affecting Flash, Internet Explorer, Edge, .NET, Office, and Windows. A total of fifty-six vulnerabilities are addressed. Fifteen of the vulnerabilities are categorized as Critical.

Today Microsoft also issued three advisories: