Yesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.
Flash 184.108.40.206 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.
Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.
Shockwave Player 220.127.116.11 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.
If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.
It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.
Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.
A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.
Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 18.104.22.168 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 22.214.171.124 resolves a single security issue in versions 126.96.36.199 and earlier.
Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.
If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.
Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.
Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 188.8.131.52 as the current version, and provides no details. There was no announcement.
A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.
As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.
A new version of Shockwave appeared at some point in recent weeks. There was nothing like an announcement, and version 184.108.40.206 is barely mentioned on the official Shockwave release notes page. In fact, all we get is this: “Current Runtime Release Version: 220.127.116.11”.
Somewhere at Adobe, there’s at least one person who knows why Shockwave 18.104.22.168 was released. It would sure be handy if they said something about it.
If you use a web browser with Shockwave enabled, you should probably install the new version, because it may contain a security fix that Adobe just didn’t bother to mention.
At some point in the last couple of months, Adobe produced a new version of Shockwave: 22.214.171.124. There may have been an announcement, but I didn’t see it.
There’s no mention of the new version on the Shockwave 12 release notes page, so it’s difficult to know what changed. It would be handy to know whether Shockwave 126.96.36.199 includes any security fixes.
Meanwhile, the main Shockwave download page serves up version 188.8.131.52, and the Shockwave checker definitely detects earlier versions and recommends installing version 184.108.40.206.
So Adobe is just being lazy with version announcements, release notes, and other web-based resources. Thanks for nothing, Adobe.
At some point in March, Adobe released a new version of Shockwave, 220.127.116.11. The release notes are light on details, saying only that the version includes “Deprecation of SHA-1 certificates in the Shockwave installer.”
SHA-1 is no longer considered secure, so this is a security update, and anyone who uses a web browser with Shockwave enabled should install the latest version as soon as possible. Note that the Shockwave plugin sometimes appears in browsers as Shockwave for Director.
A new version of the Shockwave player is available from Adobe. The official download page correctly shows the new version as 18.104.22.168, and that’s what you’ll get if you install Shockwave Player from there.
Unfortunately, Adobe still lags behind in updating other web resources related to Shockwave. The Shockwave Player help page, which detects the version you’re running, correctly identifies the installed version, but claims that the newest version is 22.214.171.124. The release notes page for Shockwave 12.x lists the latest version as 126.96.36.199.
If you use a web browser with Shockwave enabled, you should install version 188.8.131.52 as soon as possible, because there are almost certainly security fixes in the new version.
According to FileHippo’s release history for Adobe Shockwave Player, Shockwave 184.108.40.206 was released on November 25, 2015.
The official download page for Shockwave confirms that the latest version is 220.127.116.11. Unfortunately, the official release notes for Shockwave show the latest version as 18.104.22.168.
Worse still, Adobe’s Shockwave version checker page tells me this: “Sorry, your computer does not have the latest Shockwave Player installed. Please go to step 2. (Your version:22.214.171.124 Latest Version:126.96.36.199)” It’s trying to tell me that 188.8.131.52 is the latest version (it isn’t) and that the version I’m running (which is in fact the latest version) is both out of date and somehow older than a version which is clearly the older of the two (184.108.40.206 is older than 220.127.116.11).
Hey Adobe: it’s hard enough to keep our software up to date without you sending us mixed messages.
Adobe finally noticed all the warnings about Shockwave using an old, less-secure version of Flash. The latest new version of Shockwave (18.104.22.168) fixes one specific security issue, while also adding support for the latest Flash using a new feature called ‘Flash Asset Xtra’.
The release notes for Shockwave 22.214.171.124 and the corresponding security bulletin have additional details.
If you use a web browser with a Shockwave plugin, you should install Shockwave 126.96.36.199 as soon as possible. You should also configure the plugin to prompt you before displaying any content, as long as your browser supports doing so.
Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.
Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.
A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.
In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.
This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.
A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.
A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.
A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.