Network News

X My Profile
View More Activity

Critical updates for Adobe Flash, Microsoft Windows

Microsoft released six software updates on Tuesday to fix at least a dozen security vulnerabilities in Windows, Internet Explorer, Windows Server and Microsoft Office. More than half of the flaws earned a "critical" rating, meaning criminals could exploit them to break into vulnerable systems without any help from users. Separately, Adobe Systems Inc. issued critical security updates to its Flash Player and AIR Web-browser plugins.

The updates are available from the Windows Update Web site, or via the Automatic Update feature in Windows.

mslogo.JPG

Probably the most important update for most users is the one for Internet Explorer, which corrects five critical flaws in IE 6, 7 and 8. These are vulnerabilities that attackers could exploit to quietly install malicious software on your machine if you browse with IE to a hacked or booby-trapped site.

A description of the rest of the vulnerabilities patched in this month's release from Microsoft is available here.

Adobe also issued security updates to its ubiquitous Flash Player and its Adobe AIR software. Updates are available for Windows, Linux and Mac versions of these programs.

flashlog.JPG

The Flash update corrects several critical vulnerabilities in Flash versions 10.0.32.18 and earlier. Users should upgrade to the latest version - 10.0.42.34 - available here. Not sure whether you have Flash installed or which version you need? Visit this link.

A couple of notes about the Flash update are in order. First, Windows users will need to apply this update twice if they use another browser in addition to Internet Explorer. Those users will need to visit the Flash Player Download Page and install the update once with IE, and a second time while visiting that link with Firefox or Opera (the non-IE installer is designed to update Mozilla-based browsers).

Also, Adobe's installer typically pre-checks some third party software -- such as Google Toolbar or a trial of some anti-virus product -- so if you don't want these "extras," make sure to uncheck that option before agreeing to install the update.

Adobe also shipped an update to its AIR browser plug-in, which updates AIR version 1.5.2 to the newest version, cleverly named 1.5.3. Users can download the latest AIR version from this link.

As always, please drop a note in the comment section below if you experience any problems or weirdness with your system after installing any of these updates.

By Brian Krebs  |  December 8, 2009; 10:40 PM ET
Categories:  New Patches , Safety Tips  | Tags: adobe flash, microsoft patch  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Fix author named 'cybercrime hero'
Next: Paper-based data breaches on the rise

Comments

No problems with the updates to IE and Firefox. Neither prompted me to do the upgrade, so this posting gave me a head start. Also, I'm about to deliver a rebuilt XP machine, and now it will have the updates.
As usual, I'm glad I read this column. It's the only tech blog that I check EVERY day.

Posted by: williehorton | December 9, 2009 6:52 AM | Report abuse

One important note:
The standalone installers available on the Adobe site are still the previous version.

I use the standalones to speed installation for newly built machines, and to quickly update my customers in the field with or without Internet access. Adobe should get on the ball and release these installers the same day as the update... unless, that is, they are more interested in the kickbacks they receive by peddling prechecked added-on crap like "McAfee Security Check."

Oh, wait, that explains it...

Posted by: williehorton | December 9, 2009 6:59 AM | Report abuse

Adobe has a trick up their sleeves if you go to their "test page" at http://www.adobe.com/shockwave/welcome/ , where they silently trigger a shockwave update with another Security bundle. There is no way to cancel the dialog or install. I killed the process and just like any good malware installer, UP POPPED ANOTHER copy of the install.

I loaded SysUtils process explorer and finally killed the Shockwave install. I then uninstalled all Adobe products on that machine.

Posted by: moike | December 9, 2009 7:42 AM | Report abuse

A past WP article on Micro$oft switching my browser to I.E.from Mozilla Firefox, would have helped save me lots of trouble yesterday.
My Elderly brain remembers the article indicating that they would sneak-ally do it with without permission.Can't find the Post article and wishing I hadn't relied on aging brainpower. Any suggestions? I love my Gmail.

Posted by: Etragert | December 9, 2009 12:11 PM | Report abuse

The non-IE version of Flash Player also works with Google Chrome browser, which I suspect (and as I recall industry data indicates) a lot more people use than Opera. If there is a Mac version as Mr. Krebs describes, then I expect that the non-IE update would also work with Safari for Windows.

Posted by: 54Stratocaster | December 9, 2009 2:45 PM | Report abuse

@moike:
To avoid the stealth install, after you click on the "Get Adobe Flash Player" icon, click the link on the next page which says "Different operating system or browser?" From there follow the prompts to download either the ActiveX or the Mozilla-ish version as a standalone installable file. This also avoids the dopey "Adobe Download Manager" -- a cure for which there is no disease.

Posted by: 54Stratocaster | December 9, 2009 2:50 PM | Report abuse

As always, my thanks to you, Brian! Adobe flash update installed in about 15 seconds with no problems.

Posted by: JBV1 | December 9, 2009 5:24 PM | Report abuse

@54Stratocaster: Your tip addressed my complaint (above) about not being able to find a standalone installer... but there is one quirk that you left out:
You can download the "Other Browsers" installer only from within Internet Explorer, and you need Firefox or Chrome to download the IE ActiveX version. Using either browser to download ITS version of Flash triggers an installation (with the usual pre-checked crapola) instead of a file download.

Your tip just got both installers onto my thumb drive, where they will help secure at least 100 computers (in the 2-3 months before the next upgrade). Thanks much... you have helped make reading Security Fix even more worthwhile than usual.

Of course, without Brian's column, I wouldn't have heard about this update until Gawd knows when. (I delivered a rebuilt XP machine to a 12-year-old this afternoon; he needs -- and deserves -- all the security I can supply).

Posted by: williehorton | December 9, 2009 7:03 PM | Report abuse

I downloaded the version for IE, but when revisiting the page that tells me what version I have loaded, it says that I still have 10.0.32.18 on my system.

Posted by: clogwearer | December 10, 2009 11:20 AM | Report abuse

After downloading it for Firefox 3.5.5, it also tells me that 10.0.32.18 is still on my system

Posted by: clogwearer | December 10, 2009 11:29 AM | Report abuse

@clogwearer: Just a thought...Is it possible that you are in a limited user account for the update. I know that it will act as if it installed, but it doesn't give any clear indication that it didn't. I've had it happen & then realized shortly afterward. Or are you possibly using "drop my rights" to allow somewhat limited user rights in the browsers?

Posted by: MinCT | December 11, 2009 12:15 PM | Report abuse

To MinCT:
To the best of my knowledge, I'm running as "administrator", not as a LUA.

Posted by: clogwearer | December 11, 2009 10:27 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company