mukeshbalani.com | “You heard it here first…if you haven’t already heard it elsewhere”…
Patch Tuesday, July 2018 Edition
Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.
According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.
Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.
One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.
Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added piece of mind while you’re sitting there praying for the machine to reboot successfully after patching.
As per usual on Microsoft’s Patch Tuesday, Adobe issued an update to its Flash Player browser plugin. The latest update brings Flash to version 22.214.171.124, and patches at least two security vulnerabilities in the program. Microsoft’s patch bundle includes the Flash update as well.
Adobe says the Flash update addresses “critical” security holes, meaning they could be exploited by malware or miscreants to take complete, remote control over vulnerable systems. My standard advice is for readers to kick Flash to the curb, as it’s a buggy program that is a perennial favorite target of malware purveyors.
For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.
Another, perhaps less elegant, alternative to wholesale junking Flash is keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.
If you use Adobe Reader or Acrobat to manage PDF documents, you’re probably going to want to update these products soon: Adobe released updates for both today that fix more than 100 security vulnerabilities in the software titles.
Some folks may be unaware that there are other free PDF readers which aren’t quite as bloated as Adobe’s. Whether these alternative readers are more secure is another question; they certainly seem to be updated less frequently, but that may have something to do with the fact that they include far fewer features and likely less overall attack surface area.
I can’t recall the last time I had Adobe Reader installed on anything I own. My preferred PDF reader for Windows is Sumatra PDF, which is comparatively lightweight and very fast. Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.
For a detailed rundown of the individual vulnerabilities patched by Microsoft today, check out the SANS Internet Storm Center, which indexes the fixes by severity, how likely it is that each vulnerability will be exploited anytime soon, and whether specific flaws were publicly disclosed prior to today’s patch release.
According to SANS, at least three of the flaws — CVE-2018-8278, CVE-2018-8313, and CVE-2018-8314 — were previously disclosed publicly, meaning that attackers may have had a head start figuring out how to exploit these flaws for criminal gain.
As always, if you experience any problems installing or downloading these updates, please don’t hesitate to leave a comment. If past Patch Tuesday posts are any indicator, you may even find helpful responses or solutions from other readers experiencing the same issues.