You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.
Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.
Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.
It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.
Flash 188.8.131.52 includes fixes for two vulnerabilities in earlier versions.
Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.
Shockwave Player 184.108.40.206 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.
There are links to download the new versions on all the release announcement pages linked to above.
Yesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.
Flash 220.127.116.11 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.
Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.
Shockwave Player 18.104.22.168 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.
If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.
It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.
Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.
A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.
Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 22.214.171.124 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 126.96.36.199 resolves a single security issue in versions 188.8.131.52 and earlier.
Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.
If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.
Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.
Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 184.108.40.206 as the current version, and provides no details. There was no announcement.
A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.
As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.
A new version of Shockwave appeared at some point in recent weeks. There was nothing like an announcement, and version 220.127.116.11 is barely mentioned on the official Shockwave release notes page. In fact, all we get is this: “Current Runtime Release Version: 18.104.22.168”.
Somewhere at Adobe, there’s at least one person who knows why Shockwave 22.214.171.124 was released. It would sure be handy if they said something about it.
If you use a web browser with Shockwave enabled, you should probably install the new version, because it may contain a security fix that Adobe just didn’t bother to mention.
At some point in the last couple of months, Adobe produced a new version of Shockwave: 126.96.36.199. There may have been an announcement, but I didn’t see it.
There’s no mention of the new version on the Shockwave 12 release notes page, so it’s difficult to know what changed. It would be handy to know whether Shockwave 188.8.131.52 includes any security fixes.
Meanwhile, the main Shockwave download page serves up version 184.108.40.206, and the Shockwave checker definitely detects earlier versions and recommends installing version 220.127.116.11.
So Adobe is just being lazy with version announcements, release notes, and other web-based resources. Thanks for nothing, Adobe.
At some point in March, Adobe released a new version of Shockwave, 18.104.22.168. The release notes are light on details, saying only that the version includes “Deprecation of SHA-1 certificates in the Shockwave installer.”
SHA-1 is no longer considered secure, so this is a security update, and anyone who uses a web browser with Shockwave enabled should install the latest version as soon as possible. Note that the Shockwave plugin sometimes appears in browsers as Shockwave for Director.
A new version of the Shockwave player is available from Adobe. The official download page correctly shows the new version as 22.214.171.124, and that’s what you’ll get if you install Shockwave Player from there.
Unfortunately, Adobe still lags behind in updating other web resources related to Shockwave. The Shockwave Player help page, which detects the version you’re running, correctly identifies the installed version, but claims that the newest version is 126.96.36.199. The release notes page for Shockwave 12.x lists the latest version as 188.8.131.52.
If you use a web browser with Shockwave enabled, you should install version 184.108.40.206 as soon as possible, because there are almost certainly security fixes in the new version.
According to FileHippo’s release history for Adobe Shockwave Player, Shockwave 220.127.116.11 was released on November 25, 2015.
The official download page for Shockwave confirms that the latest version is 18.104.22.168. Unfortunately, the official release notes for Shockwave show the latest version as 22.214.171.124.
Worse still, Adobe’s Shockwave version checker page tells me this: “Sorry, your computer does not have the latest Shockwave Player installed. Please go to step 2. (Your version:126.96.36.199 Latest Version:188.8.131.52)” It’s trying to tell me that 184.108.40.206 is the latest version (it isn’t) and that the version I’m running (which is in fact the latest version) is both out of date and somehow older than a version which is clearly the older of the two (220.127.116.11 is older than 18.104.22.168).
Hey Adobe: it’s hard enough to keep our software up to date without you sending us mixed messages.
Adobe finally noticed all the warnings about Shockwave using an old, less-secure version of Flash. The latest new version of Shockwave (22.214.171.124) fixes one specific security issue, while also adding support for the latest Flash using a new feature called ‘Flash Asset Xtra’.
The release notes for Shockwave 126.96.36.199 and the corresponding security bulletin have additional details.
If you use a web browser with a Shockwave plugin, you should install Shockwave 188.8.131.52 as soon as possible. You should also configure the plugin to prompt you before displaying any content, as long as your browser supports doing so.