Last week Microsoft issued an unscheduled security update that fixes a serious security vulnerability in Internet Explorer 9, 10, and 11.
According to Microsoft, this vulnerability is currently being exploited on the web, which means that malicious activity that takes advantage of the security hole has been observed.
Details of the vulnerability can be found in Microsoft’s Security Update Guide.
Anyone who still uses Internet Explorer for web browsing should install this update by running Windows Update in the Windows Control Panel or system settings.
It’s the second Tuesday of the month, so it’s once again time to play Patch Or Else, brought to you by Microsoft and Adobe.
It’s easy to get complacent about updating software: diligently installing updates as soon as they become available is an essential part of a good security strategy, and it means you’re less likely to fall afoul of malicious activity. But it also means that after a while you can lose sight of the risk of not staying up to date, and gradually become lax about installing updates. History is filled with stories of lost lessons; it’s apparently in our nature to forget what’s important when we aren’t reminded of the reasons for that importance.
Analysis of Microsoft’s Security Update Guide for the December 2018 updates reveals that this month we have sixty-seven distinct updates, half of which are flagged as having Critical severity. The updates address security issues in Adobe Flash (embedded in Internet Explorer and Edge), Internet Explorer, Edge, .NET, Office, Visual Studio, and Windows.
Update Windows and your other Microsoft software via Windows Update. In Windows 10, open the Start Menu and click on
Update & Security settings >
Windows Update. In older versions of Windows, you can find Windows Update in the Control Panel.
Presumably as part of the ongoing push for transparency in response to Windows 10 update problems earlier this year, Microsoft Corporate VP Michael Fortin posted an article, coinciding with this month’s updates, that explains some of the planning that goes into the monthly updates. Fortin points out that “During peak times, we update over 1,000 devices per second”.
Adobe’s contribution to the patch pile this month is a new version of Adobe Reader. The new Reader includes fixes for at least eighty-seven vulnerabilities, many having Critical severity. The release notes for Adobe Reader DC 2019.010.20064 provide additional details. Update Reader by pointing your browser to the Acrobat Reader Download Center.
This month, we have fifty-six updates from Microsoft. The updates fix security issues in .NET, Office, Internet Explorer, Edge, Microsoft Project, SharePoint, PowerShell, Skype, and Windows. Analysis of the Security Update Guide for this month shows that a total of sixty-three vulnerabilities are addressed by the updates. Twelve of the vulnerabilities are flagged as Critical.
Windows 10 computers will have relevant updates installed automatically over the next few days. Those of you running older versions of Windows that don’t have automatic updates enabled will need to use Windows Update (in the Windows Control Panel) to check for new updates.
Meanwhile, Adobe released new versions of Flash and Reader. Flash 22.214.171.124 addresses a single security vulnerability in earlier versions. Reader DC 2019.008.20081 fixes a single security bug in earlier versions. Adobe software will usually update itself, unless you’ve explicitly disabled its automatic update features.
Earlier this week, Oracle released its quarterly Critical Patch Update Advisory for October 2018. As usual, there’s a new version of the Java runtime Engine (JRE): Version 8, Update 191 (Java 8u191).
The new version of Java fixes at least twelve security issues affecting earlier versions.
If you use Java, I encourage you to update it as soon as it’s convenient. Java is not the target it once was, but it’s still a good idea to reduce your exposure to Java-based threats by keeping it up to date. The only web browser that officially still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java immediately.
The easiest way to check your Java version and download the latest is to go to the Windows Control Panel, open the Java applet, click the
Update tab, then click the
Update Now button. If you’re already up to date, you’ll see a message to that effect.
On October 9th, Microsoft released a new batch of updates for its software. My analysis of the Security Update Guide shows that there are forty distinct updates, addressing fifty security vulnerabilities in .NET, Internet Explorer, Edge, Office applications, and Windows. Twelve of the updates are flagged as Critical.
Analysis of Microsoft’s Security Update Guide shows that this month’s updates address sixty-two security vulnerabilities, ranging from Low to Critical in severity, in the usual suspects, namely Edge, .NET, Internet Explorer, Office, and Windows. There are forty-five updates in all.
If you’re looking for a new way to evaluate Microsoft’s monthly patch offerings, I recommend Microsoft Patch Tuesday by security firm Morpheus Labs. It’s a lot less oppressive — and easier to use — than Microsoft’s Security Update Guide.
Adobe’s providing us with a new version of Flash this month. Flash version 126.96.36.199 fixes a single security vulnerability. As usual, the Flash code embedded in Chrome and Microsoft browsers will update itself through Google’s automatic update process and Windows Update, respectively.
It’s update time again.
Analysis of Microsoft’s Security Update Guide shows that this month there are seventy updates for Windows, Office, Internet Explorer, .NET, Edge, Excel, Outlook, PowerPoint, and Visual Studio. A total of sixty security bugs are addressed, twenty of which are categorized as Critical.
Adobe, meanhwile, has released new versions of Flash and Acrobat Reader. Flash 188.8.131.52 includes fixes for five security issues, all of which are ranked as Important. Acrobat Reader 2018.011.20058 addresses two Critical security vulnerabilities.
Remember, folks: although updating software is perhaps not the most exciting thing you’ll do today, it’s entirely worthwhile, as it limits the damage that can be done by any stray malware that may find itself on your computer… from that attachment you opened without thinking, or that web site you visited when you accidentally clicked that link.
The June 2018 Security Update Release bulletin on Microsoft’s TechNet blog is almost devoid of useful information, but if you click the link to the Security Update Guide, then click the big Go To Security Update Guide button, you’ll see a link to the release notes for this month’s updates.
According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.
Spring has sprung, and with it, a load of updates from Microsoft and Adobe.
This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.
The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.
Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.
As you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 184.108.40.206 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.
You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.
The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.
Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.
If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.
Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.