It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — andÂ Adobe and Microsoft have issued gobs of security updates for their softw
It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — andÂ Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.
Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.
Qualys’ Langston reminds us that onÂ last Patch Tuesday, Microsoft quietly released the fix forÂ CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click theÂ Start/WindowsÂ button, then typeÂ Windows Update).
Adobe issued patches to fix at least 62 security vulnerabilities in its products, including several critical bugs in Adobe Flash Player and Reader/Acrobat.Â The Flash Player update brings the browser plugin to v. 22.214.171.124 on Windows, Mac, Linux and Chrome OS.
Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.
When in doubt, click the vertical three dot icon to the right of the URL bar, select âHelp,â then âAbout Chromeâ: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.
Standard disclaimer: Because Flash remains such a security risk, I continue toÂ encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radicalÂ solutions ) can be found inÂ A Month Without Adobe Flash Player. The shortÂ version is that youÂ can probably get by without Flash installed and not miss it at all.
For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately,Â disabling Flash in ChromeÂ is simple enough. Paste âchrome://settings/contentâ into a Chrome browser bar and then select âFlashâ from the list of items. By default it should be set to âAsk firstâ before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
Another, perhaps less elegant, solution is to keep Flash installed in a browser that you donât normally use, and then to only use that browser on sites that require it.
You can skip to the end and leave a comment. Pinging is currently not allowed.