Posted on 02/23/2017 10:35:21 AM PST by dayglored
Critical update deals with five ways to do remote code execution on Windows
Microsoft's popped out a Security Update for Adobe Flash.
Adobe did likewise last week, celebrating hackers' love for Flash by releasing it on Valentine's Day. That dump addressed no fewer than 13 CVEs that allowed code execution due to:
Microsoft's now caught up, issuing the Update to fix the mess on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
The attack succeeds by poisoning a malicious website. There's a list of mitigations here, but the bottom line is that if you blacklist Flash a few websites will misbehave but your attack surface will shrink appreciably.
This update is not a delayed release for February's Patch Tuesday, which Microsoft has delayed due to problems doing the job right. Windows admins can expect a patch deluge come mid-March.
Windows Update will retrieve the patches if you've set it to do so, or you can get them here.
Should I uninstall Flash v24 from my Win-7 unit? Is there a list of what stops working?
Which is almost certainly horsechit.
Every vulnerability in the NT 6.1.7601 codebase (that's "Windows 7 Service Pack 1" to users) that was discovered so far for 8 years has been patched successfully.
Now with Windows 10 adoption suffering, and sales missing their targets like crazy, and the "billion installs" milestone receding over the horizon, suddenly Microsoft discovers vulnerabilities in Windows 7 that they can't patch? Oh Really??
Color me intensely sceptical.
> Frankly Win10 is much better,...
"Better" is subjective.
Things like internal security architecture are objective. And I agree that Microsoft has learned things over the years that make it EASIER to fix the vulnerabilities in Windows 10 compared to Windows 7. No argument.
But... "impossible" to fix?
Nope, sorry, I just don't believe it.
Microsoft knows that in Jan 2020 they will have to pound a stake through the heart of Windows 7. And I have no doubt this is just getting the huge number of Win7 users "softened up" for that stake. I would bet a $20 donation to FreeRepublic.com that before Jan 2020, Microsoft announces at least one huge, scary, "fatal vulnerability" in Win7 that they refuse to patch. They did that with WinXP at the end of extended support, and they'll do it again.
:-)
If you uninstall it entirely, you lose a lot of desirable functionality on many sites. So I use "FlashBlock", a browser add-in, that lets you selectively manage which sites you allow to run Flash.
The list is huge. Make that "YUGE!"
That won’t work on Opera, but I also have Chrome.
Thanks!
We have one application management console that runs on flash of all things. It’s all internal but it still requires flash on the server.
Go figure.
Kinda says a lot about what they once called their "most secure operating system". Also about the quality of their products in general.
I’m running Firefox with the Flash plugin. I have it set to “Ask to Activate” so that it will run only on sites I trust. As a further safeguard, you have the option of running it only once for that site or remembering it’s o.k. for future use there.
pshaw, dayglored, you sound a mite bit peeved, a very mild response compared to my own.
Of course, in addition to Win 7 and Vista, I still have an old XP system, an NT4, and a Win 2K (not online, but still useful). I’ve had it with MS, and I’m an MCP, lol.
I’ve already switched one system over to dual boot Mint. When I find enough business software (including that required by industry and financial systems that I use) then I’ll leave MS to rot in it’s own foolishness.
“Adobe Flash protected mode in Firefox
This article only applies to Firefox on Windows Vista and above.
Important: This article does not apply to the 64-bit version of Firefox available for 64-bit operating systems on Windows 7 and above. Mozilla has its own “NPAPI plugin sandbox” security feature for 64-bit Firefox, which is enabled by default.
Flash protected mode is a security feature for Firefox which is implemented by Adobe for Windows operating systems (Windows Vista/7/8 or above). This feature is enabled by default, to make it difficult for attackers to access your computer.
Flash protected mode might cause Flash performance problems in Firefox, such as persistent hangs or plugin crashes. This is especially true for users on Windows touchscreen devices and for users who use accessibility tools.
You can turn off Flash protected mode by following these steps:
Click on the menu button new fx menu , followed by Add-ons.
Click on the Plugins panel and select Options next to Shockwave Flash.
Remove the check mark next to Enable Adobe Flash protected mode.
flash protected mode fx38
Click the menu button New Fx Menu and then click ExitQuit Close 29 to close Firefox completely, so that the change can take effect.
When you reopen Firefox, Flash protected mode will be disabled.
Warning: Disabling Flash protected mode makes your computer more vulnerable to security exploits. Do not disable this feature unless you are affected by poor Flash performance.”
Thanks.
You understand that Flash is integrated directly into IE in Win8+ but non existent in anything under, right? You’re freaking out over nothing dayglo.
While some vulnerabilities could be addressed, there are others that can’t. Starting with w8 new securities tech was integrated at the kernel level to make the OS far more secure. w10 has gone even further. To fix 7 it would have to be fully rewritten.
That said MS is moving it monetization model to Azure so they have no interest in w7.
Neither the Microsoft.com page, nor the Register article, mentioned Internet Explorer at all, or that would have reminded me that "Flash in Windows" really means "Flash in IE". And since I do not use, nor does my company support the use of, Internet Explorer, I've ignored (and largely lost track of) recent changes to IE. On my Windows 10 boxes I use Edge; on everything else I use Firefox, Chrome, or Opera.
So you're right, and my comment #3 at the top:
"Or perhaps someone with more time to research this can show me where the Flash vulnerabilities don’t apply to Windows 7..."was more accurate than I thought.
Thank you!
#FalseAlarm
Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the Manage Add-ons dialog box, while administrators can turn this feature on or off using the Group Policy setting, Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects.
Important
The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.