Two new zero-days lead me to the same, old recommendations

Topic

New Reply

Just a quick note. Dan Goodin at Ars Technica has an overview of two separate zero-day attacks that were just plugged, one from Microsoft, one from Ad
[See the full post at: Two new zero-days lead me to the same, old recommendations]

Reply | Quote

Replies

The Flash Player issue is easy enough to patch without risking side-effects from other untested patches for Windows 8, 8.1 and 10. I’m getting the Microsoft Update Catalog fired up again for just the Flash Player patch for both of my devices.

Interestingly enough, Chrome as of this moment (very early May 11th morning) has not been updated for this Flash layer vulnerability. But then again, Chrome was on a slightly higher Flash Player version than the other browsers to begin with.

Reply | Quote

Due to the timing of Patch Tuesday, the Microsoft Update Catalog already has this patch. See my comment below.

Reply | Quote

Both sound familiar and both here are avoided, IE as I’ve “disabled” it, Flash as I’ve eradicated it system-wide. Not to mention Java, removed since August 2015, not to mention Adobe’s Reader (Adobe has two nominees!), removed years ago.
Thanks for the information.

Reply | Quote

I quit using Flash a while back. Totally by accident I discovered that Flash was greatly slowing down my web browsing experience, so I uninstalled it. There are a few videos I can’t watch, but other than that, getting rid of Flash has been a good thing for me.

Reply | Quote

I have Adobe Flash Player ActiveX installed on my computer. I only use Chrome and verified that I have the latest version (21.0.0.216) using the Adobe Flash Player Help page. The message I receive is ‘Flash Player is pre-installed in Google Chrome and updates automatically!’

Do I need both or can I uninstall the ActiveX one? Common sense says I can but I’m not sure!

Any replies would be appreciated…

Reply | Quote

Uninstall the ActiveX version. It only works in IE – not even in Edge.

Reply | Quote

Okay so the Cumulative IE 11 Security Update KB 3154070 JUST appeared on the new list of May updates for Win 7 64 bit this afternoon. Should I download and install it? Is this 0-day that serious?

Even astrophysicist Carl Sagan when speaking astronomically used Billions, not Trillions.

Reply | Quote

Chrome has an embedded PPAPI (aka Pepper Plugin API) version of Flash and cannot be removed.

Version 50.0.2661.102 of Chrome has just been released which DOES contain the newest version of Flash Player [v21.0.0.242] as I’ve downloaded & installed myself on a Win7 PC.

Reply | Quote

@rc primak: see my other comment below. Google Chrome v50.0.2661.102 contains the same version of Flash Player as the ones released on MS Update Catalog on May 10.

Reply | Quote

If you use Internet Explorer, yeah, you should think about installing it. But don’t use IE!

Reply | Quote

Just updated Chrome and noticed it has a higher version of Flash than is listed on the Adobe website https://www.adobe.com/software/flash/about/

Chrome 50.0.2661.102 is now showing Flash 21.0.0.242

Reply | Quote

I’m concerned about the recommendation of “don’t use IE” when dealing with a 0-day. Like it or not, IE is a backed in app and not patching it leaves the system vulnerable if you use IE or not.

Malware isn’t coming from script kiddies today, now it’s the product of organized crime, state sponsored attacks and more like that. The unpatched system is unlikely to be attacked except for that pesky infection vector today that’s between the seat and the keyboard (or touch screen) – the human. By using simple social engineering tricks, you can have someone open an email, click a link or try to watch that one cutest ever kitten video online and wammo – you’ve been pwned!

You can rest assured that malware authors first and foremost are now targeting Chrome. BTW almost all malware is now coming from Chrome extensions when in the olden days it was just Flash/Adobe Reader/Java – not the extensions probe for vulns in those other products including IE.

Just my $0.02. Best regards on the great service provided to all here!

Reply | Quote

Oh, you have to update IE sooner or later. Windows uses it. But for now, if you’re not actively going to web sites with IE, you’ve dodged the zero-day.

Reply | Quote

I use Flash with Firefox, and have it set to ask to allow it to be used / turned on. And then I just let it turn on for Hulu, Fox, ABC, etc. sites so I can watch stuff. That seems to work pretty well.

Reply | Quote

W7 Home Premium SP1

I see the IE11 update KB3154070 blurb states:
“Additionally, this security update includes several nonsecurity-related fixes for Internet Explorer.”

Isn’t this similar to how they bundled some nagware a couple of months ago with a security update?

Reply | Quote

Actually, they bundled the ability to show ads in the security update. We only know for sure because an internal Microsoft document leaked. As far as I know – and I’ve been following closely – Microsoft never actually showed an ad.

Reply | Quote

Which raises the question, how bleeding out of date are these people that are hacking IE & adobe flash, in this day and age rarely if anyone uses them. Now I can see IE getting targeted since it’s needed to use the internet, but seriously, flash, what are these hackers think people are running in this day and age, win98?

Reply | Quote

Sorry if I’m being stupid or missed something, but are we sure nothing bad is hidden in the nonsecurity-related fixes in KB3154070?

Reply | Quote

MS16-051 article on MS site has links to the KB articles, but the writer of the content used a local path vs, the website path. Whoopsie! Just wanted to point it out to those that want to read more it’s a short raod with a steep drop off.

mhtml:file://C:UsersdelandAppDataLocalMicrosoftWindowsINetCacheContent.OutlookEHRWXD8XMS16-051%20deployment%20tables.mht!x-usc:https://support.microsoft.com/kb/934307

Reply | Quote

There may well be something hidden.

Remember we’re at MS-DEFCON 2. That means I strongly recommend folks NOT install any of the current updates, as long as they’re running any browser other than IE.

Give the patches some time to percolate. Ferment. Decay. Whatever. It’s still much too early to tell for sure which are good and which aren’t.

Reply | Quote

1. Listen to Woody
2. Take a system image backup on a regular basis, or at least before updating
3. It only takes a short time to restore a system image, if things go wrong

Reply | Quote

I do the same thing. I have to if I want to watch a show on TV sites, they still use the Flashplayer.

Even astrophysicist Carl Sagan when speaking astronomically used Billions, not Trillions.

Reply | Quote

@ John W. and all. Always have a frequent backup, either full system or your data. Many times I’ve seen the without scenario and that is very painful 24-48 hours or more to get back up and running. The restore scenario is a great thing 1-2 hours to get back up and running.

Reply | Quote

Many, many people around the world still use IE and Adobe Flash.

I use both.

I have to use Flash for a few specific websites that I need to visit. Without Flash, the sites don’t work correctly.

I have all the Flash options as locked down for safety as possible, I only turn it on once I’m at the site I where I need it to be on (and I don’t surf off of that site in the meantime), and I disable it in my IE tools when I’m not actively using it.

Reply | Quote

Flash Player Version 21.0.0.242 is now available for download:

https://get.adobe.com/flashplayer/?promoid=KLXMF

—
original security advisory:

“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12.”

https://helpx.adobe.com/security/products/flash-player/apsa16-02.html

Reply | Quote

Just a mention that KB3142037 for Windows 7 and 2008 R2 in two flavours – Security Update for .NET Framework 4.6.1 and separately under the same number Security Update for .NET Framework 4.6 have been re-revised.
I think is not offered again if it is already installed, it seems to be a very minor revision.
If .NET Framework 4.6 (no longer supported officially, although still getting patches?!) or .NET Framework 4.6.1 are not installed, the update is not offered.

Reply | Quote

IE11 (and IE8-10 for that matter) supports the same thing. Editing the list is not exposed in the interface.

This function is lost when IE is pretending to be edge. edge is just IE with all the functionality removed.

Zones, gone. Plugin support, gone. Ad blocking, gone. IE’s rendering engine, that’s all that’s left. The whole point was so use edge and start seeing those ads you blocked in days past.

Reply | Quote

Java is by far the biggest threat; I mean they designed to run OUTSIDE the browser sandbox. The bulk of the code should run INSIDE the sandbox with a broker for external resources. (Redesigning it this way takes work for a even well written program, for java, I would guess a total re-write)

Adobe Reader (10+) and Flash do this quite well. Although part of Adobe Readers protection is off by default. Java doesn’t do it at all. Note that Adobe Reader 9 was one of the most exploited programs out there no-one bothered to target much other code, they added the sandbox (least privilege and all) and now things are much better.

Some programs would do well to forget the browser integration and just be a standalone program. I have to set adobe reader this way after every update.

I guess it comes down to either write the code well and securely the first time, or take microsoft’s approach “its a streaming OS/product, we’ll fix it later*”.

*later means within 6 months after a zero day, or never if we can render the product obsolete before we have to fix it (new inferior replacement product out of beta soon, on sale tomorrow)

Reply | Quote

1. Don’t use Flash web plugins. Most websites are updating to HTML5, anyway. If you must, at least take advantage of your browser’s “click to play” feature for plugins.
2. Don’t use Java web plugins.
3. Don’t use Quicktime web plugins. This is no longer supported by Apple on Windows. You can install the latest Quicktime “essentials” only. I have a few applications that use the Quicktime codecs for embedded videos, and this works fine. It just removes the deprecated web plugin from the browser, which is the currently at risk issue.

Reply | Quote

Oh yeah, as Woody says, “don’t use IE”. Good advice, as there are much more secure options when it comes to browsers … Just use anything else

Reply | Quote

It is all legitimate. IE and Flash are still widely used and required for a full Internet experience and will be used until alternative reliable solutions will be widely accepted. HTML 5 will likely be one of those alternative and better solution to Flash, but it is still early days. Until then, the current solutions need to be patched to the best available updates.

Reply | Quote

Woody,

Thank you for the warnings and advice. Noel C’s tool kept everything at bay.

We don’t see the IE 11 update for our Win 10 Home. Is that because we have it checked to update automatically?

It looks as if we have the Flashplayer update, two for Win 10 KB3156421 and KB3152599, 4 for MS Office 2007 and suprisingly, KB3126036, a Silverlight patch that came out in January? We hid all of those. We did not hide the MSRT.

I didn’t think our computer had Silverlight so, we did a search of C and came up with nothing. When the time comes should I just install it and see what happens?

Should we install the MSRT?

Reply | Quote

I wouldn’t touch Silverlight with a ten foot pole.

The Win10 patches and Flash update are worthwhile, but hang on for a few days and let’s see if anything bad happens. Same comment for the Office patches. So far, it looks like the May patches are pretty benign.

Reply | Quote

Woody,

Thanks for the input. We appreciate it very much.

Does receiving the patch for Silverlight mean I have it, even if a search of C doesn’t turn anything up?

I don’t see it in installed programs or the Win 10 Apps.

I have never used Silverlight. I don’t understand why the patch is there, unless it is a fluke.

The patch is KB3126036.

Reply | Quote

I guess we weren’t fast enough. All my updates show as hidden with the wushohide tool, but the Win 10 Update and Security center shows them as available except for the Silverlight. I guess that means they will be downloaded when we take them off metered connection if we want them or not.

Reply | Quote

If they appear in wushowhide, they should not be downloaded. Try rebooting. My guess is that your machine will come back up with nothing installed, and nothing appearing in the available list.

Reply | Quote

I honestly don’t know what triggers the Silverlight patch to appear. I get it all the time, too, and ignore it all the time.

Reply | Quote

Silverlight is one of the Microsoft products offered on Microsoft Update. It can be an update to an already installed version or a new installation, like MSE which is offered only on Microsoft Update, not on Windows Update. It is probably considered a useful component by Microsoft. I think there were issues in the past and there may still be with Silverlight missing on sites like Netflix.
The most confusing part is that sometimes the update and the full installation have the same KB number, which in principle means that the update is a major one and it performs a full install/replacement even when there is an existing installation.

Reply | Quote

I had rebooted twice for other reasons since I hid them, but rebooted again per your recommendation. Even so, the notice “we can’t finish downloading your updates” keeps sliding out, and they are listed in the notification panel on the right. So, the computer thinks it can download them.

I guess we will just have to wait until you give the go ahead to install and then see if I have to “unhide” them in reality, or if they really are ready to download.

Thanks Woody!

Reply | Quote

Well, its an optional update if you don’t have it, and a critical update if you have it but it is out of date. If you are running windows 10 I guess there is no wait to tell if you are “installing” silverlight or if you are “installing a critical security update TO silverlight”.

If your updates are set to automatic (they are, you have no choice) and optional updates install automatically (have we testing for that here yet?). Then I guess silverlight will be installing automatically and then updating.

If you have silverlight but not the latest update then you are not secure.

Reply | Quote

I think Netflix finally gave Silverlight the boot.

http://thenextweb.com/apps/2015/12/18/firefox-users-have-another-reason-to-drop-plugins-netflix-just-got-html5-support/#gref

Reply | Quote

It actually is a way not to get it in Windows 10, which is the same with any other version of Windows. Silverlight comes as Optional only on Microsoft Update, while as Security Critical comes on Windows Update.
You have to select Microsoft Update in Windows 10 to get Silverlight initially if it is not installed manually.

Reply | Quote