Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.
Three-quarters of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning malware or attackers could use the flaws fixed in these patches to fully compromise vulnerable systems with zero help from users. What’s more, two of the vulnerabilities are actively being exploited, including a bug in Windows and Microsoft Office.
As per usual, a patch for Internet Explorer addresses a huge chunk (30) of the individual security flaws tackled in this month’s update cycle. Microsoft also released a critical patch to correct 15 weaknesses in Microsoft Edge, the browser meant to supplant IE.
According to security firm Shavlik, supported versions of IE will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. More information about this change is available here.
The SANS Internet Storm Center is reporting that some Windows users who have Outlook installed are experiencing some difficulties using the program after applying this month’s updates. If you use Outlook, it may be wise to put off installing this patch for a few days until Microsoft addresses the issue.
Another vulnerability — fixed by a patch for domain name system (DNS) servers that run on Windows Servers — could prove extremely dangerous for organizations that rely on Windows Server for DNS services. According to SANS, Microsoft rates the exploitability as “2”, but doesn’t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news if you are using a Microsoft DNS server exposed to the public internet.
Adobe’s Flash update brings Flash to version 20.0.0.228 for Internet Explorer and Chrome on Windows and Mac systems, and 20.0.0.235 for Windows and Mac versions of Firefox and Safari.
As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.
Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.
If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.
If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Source: Krebs