Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software.
Microsoft’s patch to fix at least five critical bugs in the Windows file-sharing service is bound to make a great deal of companies nervous before they get around to deploying this week’s patches. Most organizations block internal file-sharing networks from talking directly to their Internet-facing networks, but these flaws could be exploited by a malicious computer worm to spread very quickly once inside an organization with a great many unpatched Windows systems.
Another critical patch (MS17-013) covers a slew of dangerous vulnerabilities in the way Windows handles certain image files. Malware or miscreants could exploit the flaws to foist malicious software without any action on the part the user, aside from perhaps just browsing to a hacked or booby-trapped Web site.
According to a blog post at the SANS Internet Storm Center, the image-handling flaw is one of six bulletins Microsoft released today which include vulnerabilities that have either already been made public or that are already being exploited. Several of these are in Internet Explorer (CVE 2017-0008/MS17-006) and/or Microsoft Edge (CVE-2017-0037/MS17-007).
For a more in-depth look at today’s updates from Microsoft, check out this post from security vendor Qualys.
And as per usual, Adobe used Patch Tuesday as an occasion to release updates for its Flash Player software. The latest update brings Flash to v. 220.127.116.11 for Windows, Mac and Linux users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.
The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.
If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.
Finally, Adobe also issued a patch for its Shockwave Player, which is another program you should probably ditch if you don’t have a specific need for it. The long and short of it is that Shockwave often contains the same exploitable Flash bugs but doesn’t get patched anywhere near as often as Flash. Please read Why You Should Ditch Adobe Shockwave if you have any doubts on this front.
SOURCE: Krebs on Security