Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Flash update out on June 7th

    Posted on June 7th, 2018 at 14:39 Susan Bradley Comment on the AskWoody Lounge

    Be aware that today a Flash update has been released.  For those of you on Windows 7 you will need to either look to a prompt or go to the Adobe flash page for your update.  For those on 10, and 8.1 you get your update from Microsoft.

    https://support.microsoft.com/en-us/help/4287903/security-update-for-adobe-flash-player

    Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.

    Generally speaking it’s wise to ensure these flash updates are installed as soon as possible.  Kirsty’s got the links for you here:

     

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Patch Lady – Flash update out on June 7th

    This topic contains 50 replies, has 20 voices, and was last updated by  PKCano 4 months ago.

    • Author
      Posts
    • #196580 Reply

      Susan Bradley
      AskWoody MVP

      Be aware that today a Flash update has been released.  For those of you on Windows 7 you will need to either look to a prompt or go to the Adobe flash
      [See the full post at: Patch Lady – Flash update out on June 7th]

      Susan Bradley Patch Lady

      11 users thanked author for this post.
    • #196539 Reply

      Microfix
      AskWoody MVP

      From Bleeping Computer author Catalin Cimpanu:

      ‘Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.

      The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.

      The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions. It was fixed with the release of Flash Player 30.0.0.113’

      More information here:
      https://www.bleepingcomputer.com/news/security/adobe-patches-flash-zero-day/

      For W8.1 and W10 it looks like a June Patch Tuesday fix.

      | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
        No problem can be solved from the same level of consciousness that created IT - AE
      5 users thanked author for this post.
      • #196551 Reply

        woody
        Da Boss

        Brian Krebs also has a report.

        I wonder if it’s out in time to make this month’s security patches for Windows and/or Office?

        1 user thanked author for this post.
      • #196587 Reply

        Microfix
        AskWoody MVP

        Unless MS distribute an out-of-band patch for those on W8.1 or W10, I’d advise to disable flash completely until patch Tuesday since this is a zero day exploit. Better safe than Sorry!

        Who uses flash these days, HTML5 is the way forward.

        | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
          No problem can be solved from the same level of consciousness that created IT - AE
        • #196588 Reply

          PKCano
          AskWoody MVP

          I just received the flash update on my Win8.1 through WU.

          1 user thanked author for this post.
          • #196589 Reply

            Microfix
            AskWoody MVP

            Thanks, That’ll be one less patch on Tuesday then 🙂

            | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
              No problem can be solved from the same level of consciousness that created IT - AE
    • #196597 Reply

      The Surfing Pensioner
      AskWoody Lounger

      Thanks for the heads-up. Personally, I always download Adobe updates direct from their website. It’s a habit I got into years ago, when they started using the prompts to sneak Chrome and Mcafee onto unsuspecting P.C.’s without the owner’s express consent. Nothing wrong with Chrome, but I want to be the one to decide whether to install it on my computer – not Adobe.

      2 users thanked author for this post.
      • #196634 Reply

        Sueska
        AskWoody Lounger

        @TheSurfingPensioner  hehe – I remember when Adobe flash would sneak (uh I mean offer) Google Chrome too. Currently the 2 optional offers (checked) when manually updating flash is McAfee Security Scan Plus and McAfee Safe Connect. Yes thx @pkcano, I got Adobe flash on Win 8.1 via Windows Update today too.

        • #196667 Reply

          The Surfing Pensioner
          AskWoody Lounger

          The last couple of times I updated Flash, I noticed they had removed the pre-set checks in the boxes for the optional offers. Someone must’ve complained. It nearly threw me: I am so used to unchecking the boxes, I didn’t quite know what to do!

    • #196601 Reply

      Ascaris
      AskWoody MVP

      Susan Bradley wrote:

      For those on 10, and 8.1 you get your update from Microsoft.

      As far as I know, that only works if you use IE or Edge exclusively.  If you use Firefox, Chrome, or any other non-MS browser, you have to get your update through Adobe as in Windows 7 (or better yet, uninstall Flash and don’t use it at all, if you don’t have some specific need for it).

      Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

      1 user thanked author for this post.
    • #196600 Reply

      anonymous

      Adobe sneaking Chrome onto systems must have been a while ago because Chrome blocks Flash.

      I use Chrome and there is no Flash player installed on my systems. I won’t use websites that ask for flash to be installed.

      • #196616 Reply

        The Surfing Pensioner
        AskWoody Lounger

        Yep, it was a while ago. I go back a long way.

      • #196629 Reply

        The Surfing Pensioner
        AskWoody Lounger

        I just checked. It was 2012.

      • #196631 Reply

        The Surfing Pensioner
        AskWoody Lounger

        According to Krebs, Flash “ships by default with Google Chrome”.

        • #196697 Reply

          johnf
          AskWoody Lounger

          Actually, it’s PepperFlash that ships with Google, it’s not written by or provided by Adobe Flash. PepperFlash is maintained by Google, and runs in a sandbox, so it’s relatively safer. I haven’t seen warnings about upgrading Pepperflash, though my Linux Chrome updates often, so perhaps that’s how they handle it.

          • #196790 Reply

            anonymous

            pepflashplayer.dll is still digitally signed by Adobe, so it must be an agreement at most between Google and Adobe

    • #196604 Reply

      anonymous

      I said goodbye to Flash long time ago.

    • #196636 Reply

      GeoffB
      AskWoody Lounger

      I am Win 7 x64 and use Google Chrome as my browser, with Flash disabled. Therefore, I assume I don’t need to do an update for Flash to overcome this exploit?

      appreciate advice on this.

      GeoffB

      • #196642 Reply

        anonymous

        Check your installed programs and if you have Adobe Flash installed you should update it or as said  better still uninstall the program.

    • #196658 Reply

      gborn
      AskWoody MVP

      I am Win 7 x64 and use Google Chrome as my browser, with Flash disabled. Therefore, I assume I don’t need to do an update for Flash to overcome this exploit? appreciate advice on this. GeoffB

      Google Chrome auto updates the flash player – see my blog post below how to check the version.

      Adobe Flash Player version 30.0.0.113 available

      • This reply was modified 4 months, 1 week ago by  gborn.
      2 users thanked author for this post.
    • #196659 Reply

      gborn
      AskWoody MVP

      Does Flash update KB4287903 is causing install issues in WSUS environments? I received two user comments between a few hours confirming this. Are you see a similar behavior?

       

      Flash-Update KB4287903: Install issues with WSUS

      1 user thanked author for this post.
      • #196662 Reply

        ch100
        AskWoody MVP

        No issues at all.

      • #196708 Reply

        anonymous

        Install problems for Windows 10 1607 clients can be solved by
        installing the Service Stack Update KB4132216 – before installing
        the Flash Player update KB4287903.

        Gordon7.

      • #196787 Reply

        Susan Bradley
        AskWoody MVP

        1607 is no longer supported unless you are Enterprise or Edu.  Thus flash won’t be pushed out if you don’t have that license.

        Susan Bradley Patch Lady

    • #196663 Reply

      zeuswoz
      AskWoody Lounger

      Thanks, I’ve been asked to do a emergency deployment of the update to my customers Win7 estate. I was hoping for a peaceful Friday.

      Rgds, Zeus

    • #196669 Reply

      CraigS26
      AskWoody Lounger

      I said goodbye to Flash long time ago.

      Me, too, (& Java) and I’ve never noticed an issue.

      WHAT’s the lingering reason(s) to still be using Flash?

      WU Grp A - Win 7-64 Hm Prem / Hm-Stdnt Office '10 / i5 Sandy Bridge Gen 2 / NO Java or Flash

      1 user thanked author for this post.
      • #196671 Reply

        The Surfing Pensioner
        AskWoody Lounger

        I have some old and much-loved animations and applications that use it. And it’s never given me any problems.

        1 user thanked author for this post.
      • #196764 Reply

        gborn
        AskWoody MVP

        There are several applications within business environments, that depends on flash. I’m not sure, whether it’s changes, but VMware ESX vms are using Flash for admin login form.

        2 users thanked author for this post.
    • #196673 Reply

      mindwarp
      AskWoody Lounger

      WHAT’s the lingering reason(s) to still be using Flash?

      There are still sites that haven’t transitioned away from Flash yet. I run into this with sites library patrons have to go to for pre-outside job training per their prospective employers on a regular enough basis. My favorite webgame, from Japan, is only now in the middle of transitioning from Flash to HTML5, after 5 years, although I use the Android port.

      1 user thanked author for this post.
    • #196675 Reply

      Mr. Natural
      AskWoody Lounger

      This morning WSUS has flash updates for window10, etc. Unlike other WSUS updates I always approve the flash updates and have not had any issues (knock wood).

      It’s really easy to push flash updates to windows 7 machine in AD through group policy. You’ll need the msi installer version.

      Just like everyone else I’d rather get rid of flash all together but for now it stays until I can devote more time to that.

    • #196676 Reply

      anonymous

      Have Windows10 Pro x64 v1709
      I’m relatively new with Win 10, so if I wanted to manually download and install the Flash update from the catalogue link vs waiting for Patch Tuesday (which will probably be patch July!!!), how do I update from the catalogue??
      Step by Step specifics, please.
      Thx

      • #196680 Reply

        PKCano
        AskWoody MVP

        The Flash Player update for Win10 1709, KB 4287903 dated 6/5/18. is available NOW through Windows Update. If you are not familiar with Catalog download/manual install, I would advise you to install the update through Windows Update.

        • #196691 Reply

          anonymous

          PK thx but will the update come down thru Windows 10 update if I have my update settings at Group #2, Semi-Annual, and Quality Features 14 days?

          • #196696 Reply

            PKCano
            AskWoody MVP

            Use wushowhid to see that it’s there and hide anything you don’t want to install first.

            I’m set at auto update = 2, SAC, and quality = 0. It shows in my Windows Update. I don’t believe that it is a quality update and it should show up. Just be sure with wushowhide you don’t get 1803.

            1 user thanked author for this post.
      • #196788 Reply

        Susan Bradley
        AskWoody MVP

        SSUs are only needed for the cumulative updates.  Just download the patch from the catalog and install.  If you have quality set to defer for 14 days, going to “get updates” won’t trigger detection.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #196856 Reply

          anonymous

          Susan thanks for the additional comments. However what are SSUs?  And as originally requested, please provide newbie step by step installation from the catalogue starting with what gets downloaded and where when I select the Download button, then how to install.

          Thx

          • #196866 Reply

            anonymous

            Anonymous #196676-

            From what Susan says in her reply just above this one, all you need to do is download the patch and install it on an individual basis. The link to the patch’s spot in the catalog is here.

            Once you get there, go to the last one on the list (there are 19 different versions of this patch!!) and you’ll see the one for your version of Windows 10 listed, version 1709 x64. You DON’T want ANY OTHER ONE on the list that may say 64 in it’s title, ONLY the last one at the very bottom of the list.

            You’ll see a blue button on the right side of the row for your individual update that says”Download”. Clicking that will bring up a box that will have a blue-colored link to the exact file you need, and the file’s entire name will be the link itself, ending in “.msu”.

            Clicking that link should present you with two options: You can either run the .msu installer right then and there, OR you can download the file to a location of your choosing on your computer and run it later at a time of your choosing.

            If you choose to download it and run it later, all you need to do is simply double click the file and let it run when you’re ready. From the sounds of Susan’s post above, it doesn’t sound to me like running the patch will go get anything else you don’t want to have (like 1803 for example), it will just install the patch and that’s it.

            • #196884 Reply

              anonymous

              Thank you for the fine detail – seems easy enough.

              PK – is there a concern we are missing here?

              SSU = Servicing Stack Update???  (Not sure what this is)

            • #196889 Reply

              PKCano
              AskWoody MVP

              The Servicing Stack is the Windows Update mechanism. For 1709, the latest is KB 4131372 for Build 16299.431 or KB 4132650 for Build 16299.461. If you update through WU, it is automatically installed first before the Cumulative Update. If you are manually installing, it needs to be installed first.

              It should be available through Windows update or downloadable from the Catalog.
              Find the Build number of 1709 by typing “winver” (without quotes) in the search box.

    • #196724 Reply

      EP
      AskWoody Lounger

      I just hope Adobe & Microsoft won’t release another new Flash Update this coming Patch Tuesday June 12.

      • #196886 Reply

        anonymous

        What is the concern if they do?

    • #196839 Reply

      davews
      AskWoody Lounger

      As pointed out WU only updates IE based browsers. You must manually update for Firefox based browsers or use their built in updaters.

      I am not losing any sleep over this one. If as it says it is distributed by dodgy email and as a flash attachment to Office documents I can relax as I don’t have Office and pretty sure LibreOffice would alert me to this unusual situation. Besides which it would never get through my spam filters (instantly deleted in Mailwasher before it got anywhere else.

      I do have one application (Telegraph crosswords) which uses flash with no alternative in sight but in general the use of flash online has decreased enormously in the past year.

       

    • #196861 Reply

      Slowpoke47
      AskWoody Lounger

      My apologies to go off-topic, but I have been unable to find out how to post an question on the proper forum, when clicking on the “comment…” link the response is, “there is nothing here”.  Can someone please tell me how to post my question?  Many thanks!

      Slowpoke

      • #196863 Reply

        PKCano
        AskWoody MVP

        In which topic are you trying to post?
        On the main blog page, clicking on the “Comment on the AskWoody Lounge” link will take you to the right place for comments on that topic.

        1 user thanked author for this post.
      • #196873 Reply

        PKCano
        AskWoody MVP

        Is this the post you were trying to make? The topic is Windows 7 Update, Location in the Lounge Windows\Windows 7\Questions Windows 7.

    • #196867 Reply

      b
      AskWoody Lounger

      Flash is blocked in Office 365 Monthly Channel from this month:

      Blocking Flash, Shockwave, Silverlight controls from activating in Office Applications for Security

      2 users thanked author for this post.
    • #197809 Reply

      anonymous

      Well it is June 14 and still no sign of the Flash Update in my Windows Download que, guess Susan was correct – with Quality Features set to 14 days it wont detect the update (until 14 days I guess?).

      • #197821 Reply

        PKCano
        AskWoody MVP

        That is correct.

        If you have Auto Update set to Enabled, =2 (notify download/install) in Group Policy, you can set delay Quality Features = 0. The updates will show up in the queue but won’t download until you click the “Download” button. The computer will search when it starts up and the updates will be visible. (Don’t manually check for updates, that will automatically start the install) If you set metered connections, you can use wushowhide to hide the ones in the queue you don’t want and install the ones you do. There is a trick to that I mentioned here.

        • #197830 Reply

          anonymous

          OK, yes I do have GP setting at 2, so guess I could loosen up on the 14 days.

          Regarding wushowhide, say I have items hidden, when I select to unhide them or one item (because I want to install the KB) do they automatically download and install upon exiting wushowhide?  Or since GP is at 2, do they reappear in Windows update queue once again waiting for me to select download and install?

          PS not sure why these are not appearing as replies under the reply #

          • #197834 Reply

            PKCano
            AskWoody MVP

            To make a reply, click on the “Reply” button on the top line of the post you want to reply to across from the date. Be careful – the words are light and “spam” “trash” and “report” are there too.

            In my experience, when you check to unhide in wushowhide, the updates end up in the queue waiting for you to click “download.” I have not had one start downloading automatically. But just to be safe, leave connections on “Metered.”
            If they don’t disappear from the queue when you hide them, try the procedure I linked to above.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Flash update out on June 7th

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: