Adobe and MS scramble to fix new Flash threats

Topic

New Reply

---

PATCH WATCH

Adobe and MS scramble to fix new Flash threats

By Susan Bradley Microsoft is undoubtedly focused on putting final touches on Windows 10, but it’s still cranking out plenty of updates — including several to fix an Flash vulnerability that threatens IE. The Flash threat is considered so severe that Mozilla took steps to block Adobe’s media player in FireFox. The 4th of July might be just a pleasant memory, but it might now be time to declare our independence from Flash.

---

The full text of this column is posted at windowssecrets.com/patch-watch/adobe-and-ms-scramble-to-fix-new-flash-threats/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]
[/SIZE][/COLOR][/FONT]

Reply | Quote

Replies

I’ve been checking daily for updates; just got the Flash update for Win8.1 this morning. Let’s hope there isn’t going to be another 0 day as far as Microsoft is concerned since they were 2 days behind Adobe on this one.

Reply | Quote

Those who sometimes need Flash but want to disable it otherwise can try this:
http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/
I put this to work on Firefox a week or so ago, and it looks good; I am prompted to click to activate Flash when an app looks for it.

Here’s more on dealing with Flash:
http://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/

:^_^:

Reply | Quote

For a few iterations now, Firefox has included the Shumway plugin which operates by default last I tried it. The plugin does an on the fly transcoding process, so that Flash Videos become HTML5 Videos. I don’t think you need to keep the Adobe Shockwave Flash Plugin installed to use Shumway. Here’s a reference for more information on how Shumway works:

http://www.neowin.net/news/adobe-flash-player-replacement-shumway-lands-in-firefox-27

Shumway is now enabled by default, and disabling it does not require editing the about:config file. It appears that with Shumway enabled, you can indeed remove the vulnerable Shockwave Flash Plugin entirely from the Firefox Browser, unless you encounter web sites or players which still do not support the transcoding of Flash content into other formats. (And there are many such sites, sadly.)

If you for some reason don’t find Shumway in your list of Firefox Exdtensions, you can download Shumway and check out demos:
https://mozilla.github.io/shumway/

Shumway doesn’t work with many modified in-browser Flash Players, but it does work with YouTube, Amazon Videos and PBS Videos. The advantage is that you are not playing the video streams with Flash Player, and thus many of the Flash vulnerabilities are mitigated (though not all of them).

I have successfully watched many hours of Flash Videos using Shumway under Linux, and where it works, no Flash content needs to be enabled or allowed on the entire web page.

-- rc primak

Reply | Quote

For a few iterations now, Firefox has included the Shumway plugin which operates by default last I tried it.

Isn’t that just in the “cutting-edge Nightly version of Firefox that’s not stable enough for regular folks.”:

Firefox tiptoes toward a world without Adobe Flash

The Shumway site says it’s a technology experiment.

Reply | Quote

Isn’t that just in the “cutting-edge Nightly version of Firefox that’s not stable enough for regular folks.”:

Firefox tiptoes toward a world without Adobe Flash

The Shumway site says it’s a technology experiment.

Nope. It’s been enabled since before Firefox 37. But I’m running Firefox under Ubuntu Linux. Maybe this is a different Firefox from the Windows Firefox, but I am definitely not on Nightly Builds.

Yes, the Shumway site has what at least in Linux seems to be outdated information. Maybe it still applies to the Windows versions.

And I may have already posted this, but Shumway does not work at many Flash dependent sites yet.

-- rc primak

Reply | Quote

For a few iterations now, Firefox has included the Shumway plugin which operates by default last I tried it. The plugin does an on the fly transcoding process, so that Flash Videos become HTML5 Videos. I don’t think you need to keep the Adobe Shockwave Flash Plugin installed to use Shumway. Here’s a reference for more information on how Shumway works:

http://www.neowin.net/news/adobe-flash-player-replacement-shumway-lands-in-firefox-27

Shumway is now enabled by default, and disabling it does not require editing the about:config file. It appears that with Shumway enabled, you can indeed remove the vulnerable Shockwave Flash Plugin entirely from the Firefox Browser, unless you encounter web sites or players which still do not support the transcoding of Flash content into other formats. (And there are many such sites, sadly.)

If you for some reason don’t find Shumway in your list of Firefox Exdtensions, you can download Shumway and check out demos:
https://mozilla.github.io/shumway/

Shumway doesn’t work with many modified in-browser Flash Players, but it does work with YouTube, Amazon Videos and PBS Videos. The advantage is that you are not playing the video streams with Flash Player, and thus many of the Flash vulnerabilities are mitigated (though not all of them).

I have successfully watched many hours of Flash Videos using Shumway under Linux, and where it works, no Flash content needs to be enabled or allowed on the entire web page.

Since I use a Chrome variant, I never heard of Shumway. So someone has indeed created a html5 wrapper to play flash content. They need to cross platform this plugin/add-on for Chrome users (and their variants).

Reply | Quote

I am a paid subscriber to Windows Secrets and have been for several years. I NEVER update my computer until I have read the Patch Tuesday report by Susan Bradley. I just reviewed the updated list and, like numerous other times, the KB’s don’t match what shows from Windows Update. The two she advised to wait on were listed, thank goodness, but I don’t know what to do so just update the computer not knowing if I am doing the right thing or not! I know Ms. Bradley has her own business and I certainly don’t want to bother her but I do rely on her report. I have fortunately not had any issues just going ahead and downloading/installing the updates. I just don’t understand why my numbers don’t match hers. Anyone else have this issue?

Reply | Quote

I am a paid subscriber to Windows Secrets and have been for several years. I NEVER update my computer until I have read the Patch Tuesday report by Susan Bradley. I just reviewed the updated list and, like numerous other times, the KB’s don’t match what shows from Windows Update. The two she advised to wait on were listed, thank goodness, but I don’t know what to do so just update the computer not knowing if I am doing the right thing or not! I know Ms. Bradley has her own business and I certainly don’t want to bother her but I do rely on her report. I have fortunately not had any issues just going ahead and downloading/installing the updates. I just don’t understand why my numbers don’t match hers. Anyone else have this issue?

I have found in recent weeks that the patch chart that PhotM links in post #8 above has failed to show anything in the “OK to install” column for updates in recent months, I think April is the last month now showing any recommendations.

I too find Susan Bradley’s recommendations invaluable, but it surprises me that she is able to make those initial recommendations within barely 24 hours of the monthly updates being released – unless she has prior notice of them of course. Even then I would wonder if that gave her enough time to establish whether any updates are proving problematic. I tend to wait until at least the following Monday before reviewing several sites to see whether there are any further recommendations, and even then Woody Leonhard at https://www.askwoody.com/ will invariably still be advising readers to hold off from installing anything until further recommendations are made. That remains his position as I write this in relation to this month’s updates.

As for this month’s updates, I’m still being offered KB3077657 and have installed it on one machine as per the Patch Watch recommendations, but I see that it is now supposed to be succeeded by KB3079904 although I’m not being offered the replacement and have no recommendations on it. I’m therefore confused over what to do with my second machine.

There’s no doubt that investigating these updates and making recommendations on installing or leaving them is a difficult job, although not a thankless one as I have no doubt that it is very much appreciated by all who subscribe here. Doubtless it is getting harder by the month, even if it will cease to be needed for those desperate to submit their machines to forced updates with Windows 10 :)! Personally I’m sticking with Windows 7 for the duration, and will continue to value highly the advice of the experts on how to approach the monthly updates.

Reply | Quote

Hi Tandor,

Susan certainly doesn’t need me to defend her!

Consider this, when one wants to complain about how she helps so many of us. Susan is mostly VOLUNTEERING her time to make multitudes lives easier. Lately, many months have been extremely consuming when it comes to patches and now Microsoft is spreading things out even more.

As far as the column that you mentioned, I believe she only uses it for problem patches but I maybe wrong. Remember, the Patch Grid is replacing what Microsoft stopped doing! That means Susan and other need to do MUCH research to come up with the Patch Grid and things are much less certain.

Susan Moderates “Patch Management List” another volunteer position that has many many administrators ready to spin up TEST bare metal/VM’s by the 1000’s of servers and client Windows OS machines. They are are willing to report immediately back to the LIST. I only watch the list because I don’t feel qualified to report on it as I am retired from the industry. One can get a fair impression within a few hours as to the quality of a patch. Also, Microsoft Windows, Servers, Patching and Testing Departments Managers and Employees WATCH the LIST and sometimes comment. It is a great source for them to know if they have a bad patch. Yes, there are patches that change there color after baking in a few days but for the most part with all of the varied testing there are not many.

I hope that clarifies a few things for many here.

Thank You once again Susan for ALL of the late nights that you put in, to help all of us from IT Professionals to novices! Most really do appreciate IT ALLOT!

Best Regards,

Crysta

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Hi Tandor,

Susan certainly doesn’t need me to defend her!

Consider this, when one wants to complain about how she helps so many of us. Susan is mostly VOLUNTEERING her time to make multitudes lives easier. Lately, many months have been extremely consuming when it comes to patches and now Microsoft is spreading things out even more.

As far as the column that you mentioned, I believe she only uses it for problem patches but I maybe wrong. Remember, the Patch Grid is replacing what Microsoft stopped doing! That means Susan and other need to do MUCH research to come up with the Patch Grid and things are much less certain.

Susan Moderates “Patch Management List” another volunteer position that has many many administrators ready to spin up TEST bare metal/VM’s by the 1000’s of servers and client Windows OS machines. They are are willing to report immediately back to the LIST. I only watch the list because I don’t feel qualified to report on it as I am retired from the industry. One can get a fair impression within a few hours as to the quality of a patch. Also, Microsoft Windows, Servers, Patching and Testing Departments Managers and Employees WATCH the LIST and sometimes comment. It is a great source for them to know if they have a bad patch. Yes, there are patches that change there color after baking in a few days but for the most part with all of the varied testing there are not many.

I hope that clarifies a few things for many here.

Thank You once again Susan for ALL of the late nights that you put in, to help all of us from IT Professionals to novices! Most really do appreciate IT ALLOT!

Best Regards,

Crysta

If you think I’m criticising Susan, then please re-read my post. No criticism was intended, merely a couple of observations along with several compliments:-

“I too find Susan Bradley’s recommendations invaluable”

” I have no doubt that it is very much appreciated by all who subscribe here”

“Personally I’m sticking with Windows 7 for the duration, and will continue to value highly the advice of the experts on how to approach the monthly updates.”

I think my position is clear!

All I have said is that I’m surprised that the initial Patch Watch recommendations can be made so soon after the updates have been released, and that the chart which used to show all the recommendations has recently appeared to be missing them for the past few months (since April’s). I’m sure the recommendations were there for May and June but they, along with July’s, no longer appear when I access the chart. That’s simply reporting what may be a bug or other error, not criticising it.

If you check past Patch Watch threads on this board you’ll find several where I’ve been quick to thank Susan for her advice. The fact that I have raised a couple of queries about Patch Watch and the chart doesn’t in any way diminish my appreciation for the invaluable service she provides, as hopefully the extracts from my post that I have quoted here will demonstrate. However, if any doubt remains, then let me say again – thank you Susan, your advice is indeed very much appreciated!

Reply | Quote

Hi Tandor,

Susan certainly doesn’t need me to defend her!

Consider this,

No personal attack was meant on you or anybody else BUT many people do read this column, so I felt it was good to put this out there.

As far as I am concerned, nothing more needs to be said.

Have a good day,

Crysta

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

I just renewed my subscription just after this Patch Watch was released. Can I get this emailed to me now that I just renewed, please?

Reply | Quote

I just renewed my subscription just after this Patch Watch was released. Can I get this emailed to me now that I just renewed, please?

Every time I renew, the most recent paid edition of Windows Secrets Newsletter, complete with Susan Bradley’s column when it appears, is resent to my Inbox at the email address I provide with the subscription. This even though I have a Preference for notifiction only. That’s good — it confirms that I have made my payment and makes sure I don’t miss any content.

Anyway, this is how the renewal process is supposed to work. Maybe check your Spam Filters?

-- rc primak

Reply | Quote

Interesting article. Clarifies a lot of issues with the patches to Windows Update.

New Policies in July’s Windows Update Client to Stop Windows 10 Upgrades by Normal Users
http://windowsitpro.com/windows-10/new-policies-julys-windows-update-client-stop-windows-10-upgrades-normal-users

Reply | Quote

Hi Folks,

Monday, July 20, 2015 (Excerpt)

This is a summary of the new and changed content to be released on Monday, July 20, 2015.

New security content:
MS15-078: Security Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded (KB3079904)

National Cyber Awareness System:

Microsoft Releases Security Update

07/20/2015 02:29 PM EDT

Original release date: July 20, 2015

Out-of-band release for Security Bulletin MS15-078
MSRC Team Mon, Jul 20 2015 11:09 AM

Don’t forget Susan Bradley’s Patch release Grid .xlsx – Microsoft Excel Online that she highlight in an earlier Post.

Best Regards,

Crysta

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Nevermind, It was just sent. Thanks WS!!!!

Reply | Quote

On the KB3079904, same here. At first all 9 of my computers were offered KB3077657, but before I got to installing 7657 per the article all my systems now say KB3079904 is listed and KB3077657 is now gone. So with this new KB3079904, what does Susan know about this and what does she recommend?

And by the way Susan, you do kick butt. Thanks for all the hard work you put in and making our lives less stressful!!! And to all who add to this forum as well, thank you!!!

Reply | Quote