Category Archives: Flash

Adobe software updates: October 2016

Adobe announced new versions of Flash and Reader/Acrobat yesterday.

Flash 23.0.0.185 fixes twelve vulnerabilities in previous versions. The new version also adds some new features, but these are likely only of interest to developers. If you still have Flash enabled in any web browser, you should either update it immediately, or disable Flash in the browser. As usual, Chrome will update itself with the latest version, and Internet Explorer and Edge on Windows will get the new Flash version via Windows Update.

New versions of Reader/Acrobat (XI, DC Classic and DC Continuous) address a whopping seventy-one vulnerabilities in previous versions. If you use a web browser with an Adobe Reader add-on, you should either update it as soon as possible or disable that add-on.

Patch Tuesday: October 2016

It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.

This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.

Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.

All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).

So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.

I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.

The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.

Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.

Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.

Patch Tuesday for September 2016

Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.

Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.

Firefox 48

There’s a lot to talk about with the release of Firefox 48. Of course, this being Mozilla, nothing is straightforward.

Process separation

One of the most important new features in Firefox 48 is process separation (aka Electrolysis, aka e10s), whereby Firefox is split into separate processes, instead of running as a single process. The idea is to improve stability, responsiveness, and security. According to Mozilla: “Users should experience a Firefox that is less susceptible to freezing and is generally more responsive to input, while retaining the experience and features that users love.”

Here’s what the release notes have to say about it: “Process separation (e10s) is enabled for some of you. Like it? Let us know and we’ll roll it out to more.” What does this even mean? How do I know if process separation is enabled in my copy? What’s the difference between Firefox 48 with process separation enabled and with it disabled? How can I provide feedback on something if I don’t even know for sure I’m seeing it? If it’s not enabled in my copy, how will Mozilla ‘roll it out’ to me?

A separate Mozilla blog post answers some of these questions. Process separation will be enabled gradually in a series of Firefox releases, starting with 48 and continuing with 49. You can determine whether e10s is enabled in your copy of Firefox by entering “about:support” into the URL bar, and looking at the ‘Multiprocess Windows’ line.

A post on Asa Dotzler’s blog provides a few more answers, including this: “The groups that will have to wait a bit for E10S account for about half of our release users and include Windows XP users, users with screen readers, RTL users, and the largest group, extension users.” In case you were wondering, Asa Dotzler is the Participation Director for Firefox OS, Mozilla Corp.

Improved download security

With version 48, Firefox has beefed up security related to downloads. Actually, it’s more accurate to say that Google added features to its Safe Browsing service, which Firefox uses. Those new features include checking for ‘Potentially Unwanted Software’ and ‘Uncommon Downloads’. The changes are described in another Mozilla post. Unfortunately, this post is poorly worded, making the new features sound as if they watch what a downloaded software installer is doing. In fact, Firefox just checks downloads against a list of known bad or ‘uncommon’ installers (provided by Google) and warns the user if one is encountered. The new features can be disabled in Firefox’s options.

New restrictions for add-ons

Firefox add-ons that have not been approved by Mozilla will no longer work with Firefox 48. Add-ons are a major source of instability and security issues in Firefox, and while this change will be inconvenient for people who use add-ons that have not been verified and signed by Mozilla, it’s definitely a step in the right direction.

Security vulnerabilities fixed

At least twenty-three security issues were fixed in Firefox 48. That means this is an important update; if you use Firefox, you should upgrade to version 48 as soon as possible. If the new features in Firefox 48 are a problem for you, then it’s time to look at alternatives like Opera and Chrome.

Other notable changes

The address (URL) bar now expands to the width of the screen when you’re typing in it. More matches are shown when you enter text in the address bar, and any that are already bookmarked will show an icon.

Improvements to bookmarks and history: Firefox 48 merges “your Reading Lists into Bookmarks and your Synced tabs into the History Panel. This change means your reading list items will now be available across devices alongside your bookmarks, giving you easier access to your content no matter what device you’re using, which is a major upgrade for those of you using Firefox across devices.”

Related links

Patch Tuesday for July 2016

It’s a relatively light month for Microsoft patches: only eleven this time. The updates address security issues in the usual suspects, namely Windows, Internet Explorer, Edge, Office, and the Flash code that’s embedded in IE 10, IE 11, and Edge. Six of the updates are flagged as Critical. A total of fifty vulnerabilities are addressed.

Adobe joins in the fun again this month, with updates for Flash and Reader/Acrobat. The Flash update fixes a whopping fifty-two vulnerabilities, while the Reader update fixes thirty vulnerabilities. Update: an announcement for the Flash update appeared on July 14th, despite being dated July 12th.

Update 2016Jul17: Ars Technica points out that one of the Microsoft updates addresses a critical security hole in a Windows printer driver installation mechanism that dates back to Windows 95. The vulnerability was not actually closed by the update; instead, a warning was added to the driver installation process.

Critical Flash update

Earlier this week, Adobe announced that they would delay this month’s Flash update for a few days, which would allow them to include a fix for a critical vulnerability (CVE-2016-4171) that’s being actively exploited on the web.

Yesterday Adobe released Flash 22.0.0.192, which addresses CVE-2016-4171 and thirty-five other vulnerabilities. Anyone who uses Flash should install the new version as soon as possible, but those of us who still use Flash in a web browser need to check their version and update immediately.

Recent versions of Internet Explorer and Edge will get the new version of Flash via Windows Update. Microsoft issued a related bulletin yesterday.

Chrome’s embedded Flash will be updated via its own internal updater. You can trigger the update by clicking the ‘hamburger’ menu button at the top right, then clicking Help and About Google Chrome.

Patch Tuesday for June 2016

It’s that time again, folks. This month Microsoft has sixteen updates, which address forty-four vulnerabilities in the usual culprits: Windows, Internet Explorer, Office, and Edge. Five of the updates are flagged as Critical.

Adobe issued an alert earlier today, saying that they have identified a vulnerability in Flash that is being actively exploited. There’s no update as yet, but they expect to have one ready by June 16. I imagine that Adobe was planning to release a Flash update today to coincide with Microsoft’s updates, but this new threat messed up their timing.

Firefox 48.0

The announcement for Firefox 47.0 highlights a few changes: synchronized tabs (between Firefox instances), improved video playback, and some security and performance improvements for Android users.

According to the release notes, Firefox 47.0 takes a few more steps in the process of moving away from Flash and toward HTML5 for video, and removes support for some older technologies related to plugins. The click-to-activate plugin whitelist, a security feature that was introduced in 2013, has been removed.

Most importantly, Firefox 47.0 fixes at least thirteen security issues. So don’t delay, update Firefox as soon as you can.

Check your Firefox version and trigger an update by navigating to its About page:

  1. Click the ‘hamburger’ (three horizontal bars) menu button at the top right.
  2. Click the question mark at the bottom of the menu.
  3. Click ‘About Firefox’ in the menu.

Flash update incoming

Maybe the Flash developers didn’t make the deadline for Patch Tuesday, so they felt left out. Anyway, according to a security advisory published today, Adobe is working on an emergency update for Flash, to address one specific vulnerability, CVE-2016-4117.

That vulnerability is so new, it doesn’t appear in the vulnerability databases. Adobe refers to it as critical, and indeed, exploits have already been observed in the wild (which makes this a good example of a zero-day vulnerability). Adobe expects to publish a new version of Flash that addresses this vulnerability as early as May 12.

Interestingly, the advisory states that the vulnerability exists in Adobe Flash Player 21.0.0.226 and earlier, while the most recent published versions are 21.0.0.213 and 21.0.0.216. Now I’m thinking that Adobe delayed the Flash update scheduled for Patch Tuesday (which presumably would have been version 21.0.0.226) to give them time to fix CVE-2016-4117.