Microsoft re-issues critical Flash security patch MS16-064, retires KB 3157993-new version KB 3163207

Topic

New Reply

Adobe Flash again. InfoWorld Woody on Windows
[See the full post at: Microsoft re-issues critical Flash security patch MS16-064, retires KB 3157993-new version KB 3163207]

Reply | Quote

Replies

Just wondering, does this patch from Microsoft do the same thing as Adobe’s patch?

Adobe’s new patch, Flash Player Version 21.0.0.242
https://get.adobe.com/flashplayer/?promoid=KLXMF

Reply | Quote

Strangely enough my Iobit Advanced System Care 9.2 Pro scan detected this Security update for Adobe Flash player for windows 10 version 1511 (KB3163207) as a SECURITY HOLE and is asking me to FIT IT (Action repair) ! ….. not sure who to trust anymore

Reply | Quote

In answer to your question, yes, they are the same.(.242)

Reply | Quote

Microsoft’s patch applies to Windows 8/8.1 and 10 which have Flash Player for IE (and Edge for Windows 10?) built in. For Firefox, the equivalent patch is from Adobe.
For Windows 7 and Vista, both patches, for IE and Firefox are from Adobe. One is Active X and the other one is the so-called NPAPI plug-in.
If you accept to limit your experience on the Internet to a certain extent for the purpose of reducing the attack surface, you could live without IE and Flash. Sooner or later you will find that this approach is too limiting, at least this is my experience.
In short, there are two distinct patches, one from Microsoft and the other from Adobe which should normally have the same version, although sometimes they are slightly out of sync. Chrome comes with its own Flash Player implementation and it is maintained by the browser.
Flash is an Adobe product and all the patches mentioned here are in fact originally developed by Adobe, but released under different brands to serve a specific purpose.

Reply | Quote

Woody says: ASPB16-15 covers 25 separately identified security holes (gotta love Flash)

Like Java RE, Flash Player is inherently insecure and sooner it disappears from the Internet, better for everyone. Until then, we can only patch newly discovered vulnerabilities, at the same time knowing that there is more to come, only not discovered or publicised yet.

Reply | Quote

well that was nearly embarrassing for Microsoft to re-release the MS16-064 Flash Player security updates on May 13.

Adobe had already posted Flash Player 21.0.0.242 on May 12 for other platforms beside Windows 8, 8.1 & 10 on their web site.

Reply | Quote

IE11 has Flash built in provided by MS. It doesn’t use the standalone from Adobe. Firefox uses the NPAPI plugin. Not sure what uses the standalone activeX anymore.

Reply | Quote

The only reason I hadn’t killed Flash has been the need to do radar loops when storms hit, but the Weather Service radar page is now (mostly) duplicated by a function in a hazard map.

http://www.wrh.noaa.gov/map/

This covers the western region with full functions, but it’s spotty elsewhere in the country. I haven’t been able to find the equivalents for the central or eastern regions.

Reply | Quote

You can’t install the activex flash on windows 8+ (8.1,10) because it is part of the OS. Either install it via windows update, or microsoft’s standalone patch.

There is a dedicated version for firefox

Also there is a dedicated version for chome… but chrome’s flash is built-in so this version is for…? Actually I’d like to know the answer to that one.

Direct links (avoids prompts to install toolbars and mcafee-somethingorother):
https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe Flash Player for Internet Explorer – ActiveX (Doesn’t apply to windows 8-10)
https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe Flash Player for Firefox – NPAPI
https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Flash Player PPAPI

Reply | Quote

IE (all versions including 11) on Windows 7 uses standalone ActiveX from Adobe.

Reply | Quote

What happened was that Flash Player had two very rapid security updates. The first, early May, went to Flash Player 21.0.0.140 from .132. The second one went to FP 21.0.0.142. Two separate updates. All browsers in all my OSes (Windows 10 and Linux) had the same pair of updates. Chrome for both OSes just finished the latest round on May 13th. Time to go to the MS Update Catalog again!

Reply | Quote

Okay, If I have understood correctly, I have gleaned from the comments here:

A. The Windows-Update Flash update
– Is not for Windows 7 because in Windows 7, Flash is not embedded in I.E. and must be dealt with separately by the computer owner by getting updates for it directly from Adobe.
– Is for Windows versions higher than Windows 7, because in those versions of Windows, Flash is embedded in I.E. and Microsoft is managing all changes to it.

B. The Adobe standalone update for Flash
– Is for Windows 7 computers
– Is not for Windows versions higher than Windows 7, because higher versions of Windows must rely on Microsoft’s Windows Updates to manage all changes to their computer’s Flash program.

So I assume that, on my Windows 7 computer, I wouldn’t even have seen the Windows Update patches that Woody mentioned in the original blog post about this discussion, because they wouldn’t have applied to my system.

I expect that most people probably already know this information, but it is not mentioned in the InfoWorld article that this patch is only for Windows 8 and 10, and usually I think it is described which Windows versions the patches are for. I assumed the patches in question covered all Windows versions, since it wasn’t specified in the article.

=====
As to just getting rid of Flash and I.E., that isn’t desirable or possible at the present time for everyone to do…
I wrote under an earlier article on this site a day or two ago —
“Many, many people around the world still use IE and Adobe Flash. I use both. I have to use Flash for a few specific websites that I need to visit. Without Flash, the sites don’t work correctly. I have all the Flash options as locked down for safety as possible, I only turn it on once I’m at the site I where I need it to be on (and I don’t surf off of that site in the meantime), and I disable it in my IE tools when I’m not actively using it.”

Reply | Quote

My Windows 7 computer uses the standalone Adobe Flash updates.

Reply | Quote

Thank you to folks who explained it to me — I have summarized my understanding of it in a new post about 12 posts down from here.

Reply | Quote

>25 separately identified security holes (gotta love Flash)

Not that I have any love for Adobe Flash, but it’s not really special. Anything that runs in an executable on your system is inherently an attack surface. The run-time functionality is apparently just too complex to manage easily. At least Adobe is keeping on top of their add-on and delivering patches – not like Apple, who have abandoned their QuickTime Add-on.

Speaking of updates to things that run to bring in the glitz… What’s up with the Silverlight “update” – KB3126036 – that incessantly seems to show up in my WUShowHide tool on Windows 10?

http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/10586/SilverlightUpdate0.png

http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/10586/SilverlightUpdate1.png

http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/10586/SilverlightUpdate2.png

Assuming this isn’t some kind of “stuck” update, it sure does seem like glitz delivery software can’t help but be riddled with vulnerabilities, doesn’t it?

But wait – while engineering things in the digital realm can be difficult, it’s not really a given that complex executable software MUST have vulnerabilities! Digital systems actually CAN achieve perfection. It just costs more and takes more time.

But blapping out code as quickly as possible, written by cheap, inexperienced programmers who may not follow best practices, foregoing system testing, and hoping for the best isn’t really the best strategy for keeping users safe, now is it?

Conclusion? Safety really isn’t the concern of companies supplying us with free software. Delivering the advertising to us in the most eye-catching manner is.

I choose not to play.

-Noel

Reply | Quote

Try this site:

https://www.aviationweather.gov/adds/radar

Reply | Quote

This time is not Microsoft failing an update as it was suggested in some posts. It is Adobe’s product and Microsoft only provides a customised version for the Windows products which have Flash for Internet Explorer built-in.
Google is likely to do the same with their Flash plugin, only that their forced updates happen behind the scenes and nobody protests because their updates are a lot less intrusive for the end-user.

Reply | Quote

poohsticks, to clarify the B item, as I know that you are not a user of Windows 8/8.1/10. The same standalone from Adobe for Firefox (Opera and few other browsers) named NPAPI plugin applies to those versions as well. The Microsoft Update for Flash is only updating the Active X for IE in those versions.

Reply | Quote