Microsoft just released 13 updates to address more than three dozen unique security vulnerabilities.
Adobe issued security fixes for Flash Player that plugs at least 22 security holes in the widely-used browser component.
Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.
According to Krebs:
One big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.
Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).
If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. 20.0.0.306. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).
Patch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.
Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.
This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).
If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.
Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.
Check out the Krebs On Security Article for Tutorials