www.office.com/setup: Adobe and Microsoft published critical solutions for their products today, a.k.a “Patch Tuesday”, the second Tuesday of every month. Adobe updated its Flash Player program to solve a half dozen critical security holes. Microsoft issued updates to correct at least 65 security vulnerabilities in Windows and the associated software.
Microsoft updates affect many basic Windows components, including Internet Explorer and Edge’s built-in browsers, as well as Office, Microsoft’s malware protection engine, Microsoft Visual Studio, and Microsoft Azure.
The Malware Protection Engine flaw was publicly disclosed earlier this month, and one for which Redmond issued an out-of-band update (off the patch on Tuesday) a week ago.
That flaw, discovered and reported by Google’s Project Zero program, is fairly easy to exploit and impacts on malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.
Microsoft really wants users to install these updates as quickly as possible, but it may not be the worst idea to wait a few days before doing so: very often, problems with patches that can cause systems to end up in an endless reboot cycle they are reported and resolved with subsequent updates within a few days of their release. However, depending on the version of Windows you are using, it can be difficult to postpone the installation of these patches.
Microsoft says that by default, Windows 10 automatically receives updates, “and for customers running earlier versions, we recommend that you enable automatic updates as a best practice.” Microsoft does not make it easy for Windows 10 users to change this configuration, but it is possible. For all other users of the Windows operating system, if you prefer to receive an alert for new updates when they are available so you can choose when to install them, there is a configuration for that in Windows Update. In any case, do not suspend the installation of these updates for too long.
The Adobe Flash Player update fixes at least two critical errors in the program. Adobe said it has no knowledge of any active exploit in its natural environment against either of the two failures, but if you are not using Flash routinely for many sites, you probably want to disable or remove this wrong program.
Adobe will eliminate Flash completely by the year 2020, but most major browsers already take steps to put the Flash down. And with a good reason: it is a great responsibility of security. Google Chrome also groups Flash, but blocks its execution on all but some popular sites, and then only after user approval.
For Windows users with Mozilla Firefox installed, the browser asks users to enable Flash per site. Until the end of 2017 and until 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time they visit the site, and will remember user preferences on subsequent visits.
The latest independent version of Flash that fixes these errors is 184.108.40.206 for Windows, Mac, Linux and Chrome OS. But most users would probably be better off limping manually or eliminating Flash altogether, since so few sites really require it yet. Disabling Flash in Chrome is quite simple. Paste “chrome: // settings / content” into a Chrome browser bar and then select “Flash” in the list of items. By default, it must be set to “Ask first” before running Flash, although users can also disable Flash completely here or in the whitelist and in the blacklist of specific sites.
More information on today’s updates is available from Ivanti and Qualys security providers.
As always, if you have trouble installing any of these updates, feel free to write down your problems in the comments below. Most likely, another reader has experienced something similar and can help solve the problem.