Patch Lady – Flash update out on June 7th

Topic

New Reply

Be aware that today a Flash update has been released.  For those of you on Windows 7 you will need to either look to a prompt or go to the Adobe flash
[See the full post at: Patch Lady – Flash update out on June 7th]

Susan Bradley Patch Lady

11 users thanked author for this post.

cesmart4125, alpha128, SueW, Elly, Sueska, samak, KarenS, woody, jburk07, The Surfing Pensioner, Mr. Natural

Reply | Quote

Replies

From Bleeping Computer author Catalin Cimpanu:

‘Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.

The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.

The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions. It was fixed with the release of Flash Player 30.0.0.113’

More information here:
https://www.bleepingcomputer.com/news/security/adobe-patches-flash-zero-day/

For W8.1 and W10 it looks like a June Patch Tuesday fix.

Keep IT Lean, Clean and Mean!

5 users thanked author for this post.

samak, jburk07, SueW, Elly, woody

Reply | Quote

Brian Krebs also has a report.

I wonder if it’s out in time to make this month’s security patches for Windows and/or Office?

1 user thanked author for this post.

Microfix

Reply | Quote

Unless MS distribute an out-of-band patch for those on W8.1 or W10, I’d advise to disable flash completely until patch Tuesday since this is a zero day exploit. Better safe than Sorry!

Who uses flash these days, HTML5 is the way forward.

Keep IT Lean, Clean and Mean!

Reply | Quote

I just received the flash update on my Win8.1 through WU.

1 user thanked author for this post.

Microfix

Reply | Quote

Thanks, That’ll be one less patch on Tuesday then 🙂

Keep IT Lean, Clean and Mean!

Reply | Quote

Thanks for the heads-up. Personally, I always download Adobe updates direct from their website. It’s a habit I got into years ago, when they started using the prompts to sneak Chrome and Mcafee onto unsuspecting P.C.’s without the owner’s express consent. Nothing wrong with Chrome, but I want to be the one to decide whether to install it on my computer – not Adobe.

2 users thanked author for this post.

GoneToPlaid, SueW

Reply | Quote

@TheSurfingPensioner  hehe – I remember when Adobe flash would sneak (uh I mean offer) Google Chrome too. Currently the 2 optional offers (checked) when manually updating flash is McAfee Security Scan Plus and McAfee Safe Connect. Yes thx @PkCano, I got Adobe flash on Win 8.1 via Windows Update today too.

Reply | Quote

The last couple of times I updated Flash, I noticed they had removed the pre-set checks in the boxes for the optional offers. Someone must’ve complained. It nearly threw me: I am so used to unchecking the boxes, I didn’t quite know what to do!

Reply | Quote

Susan Bradley wrote:

For those on 10, and 8.1 you get your update from Microsoft.

As far as I know, that only works if you use IE or Edge exclusively.  If you use Firefox, Chrome, or any other non-MS browser, you have to get your update through Adobe as in Windows 7 (or better yet, uninstall Flash and don’t use it at all, if you don’t have some specific need for it).

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, OpenSUSE Tumbleweed

1 user thanked author for this post.

Kirsty

Reply | Quote

Adobe sneaking Chrome onto systems must have been a while ago because Chrome blocks Flash.

I use Chrome and there is no Flash player installed on my systems. I won’t use websites that ask for flash to be installed.

Reply | Quote

Yep, it was a while ago. I go back a long way.

Reply | Quote

I just checked. It was 2012.

Reply | Quote

According to Krebs, Flash “ships by default with Google Chrome”.

Reply | Quote

Actually, it’s PepperFlash that ships with Google, it’s not written by or provided by Adobe Flash. PepperFlash is maintained by Google, and runs in a sandbox, so it’s relatively safer. I haven’t seen warnings about upgrading Pepperflash, though my Linux Chrome updates often, so perhaps that’s how they handle it.

Reply | Quote

pepflashplayer.dll is still digitally signed by Adobe, so it must be an agreement at most between Google and Adobe

Reply | Quote

I said goodbye to Flash long time ago.

Reply | Quote

I am Win 7 x64 and use Google Chrome as my browser, with Flash disabled. Therefore, I assume I don’t need to do an update for Flash to overcome this exploit?

appreciate advice on this.

GeoffB

Reply | Quote

Check your installed programs and if you have Adobe Flash installed you should update it or as said  better still uninstall the program.

Reply | Quote

GeoffB wrote:

I am Win 7 x64 and use Google Chrome as my browser, with Flash disabled. Therefore, I assume I don’t need to do an update for Flash to overcome this exploit? appreciate advice on this. GeoffB

Google Chrome auto updates the flash player – see my blog post below how to check the version.

Adobe Flash Player version 30.0.0.113 available

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

2 users thanked author for this post.

jburk07, Elly

Reply | Quote

gborn wrote:

Google Chrome auto updates the flash player – see my blog post below how to check the version. Adobe Flash Player version 30.0.0.113 available

Thanks for the advice.  Chrome has auto updated the Flash Player to 30.0.0.113 for me.

regards

 

GeoffB

Reply | Quote

Does Flash update KB4287903 is causing install issues in WSUS environments? I received two user comments between a few hours confirming this. Are you see a similar behavior?

 

Flash-Update KB4287903: Install issues with WSUS

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

1 user thanked author for this post.

columbia2011

Reply | Quote

No issues at all.

Reply | Quote

Install problems for Windows 10 1607 clients can be solved by
installing the Service Stack Update KB4132216 – before installing
the Flash Player update KB4287903.

Gordon7.

Reply | Quote

1607 is no longer supported unless you are Enterprise or Edu.  Thus flash won’t be pushed out if you don’t have that license.

Susan Bradley Patch Lady

Reply | Quote

Thanks, I’ve been asked to do a emergency deployment of the update to my customers Win7 estate. I was hoping for a peaceful Friday.

Rgds, Zeus

Reply | Quote

anonymous wrote:

I said goodbye to Flash long time ago.

Me, too, (& Java) and I’ve never noticed an issue.

WHAT’s the lingering reason(s) to still be using Flash?

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

1 user thanked author for this post.

Microfix

Reply | Quote

I have some old and much-loved animations and applications that use it. And it’s never given me any problems.

1 user thanked author for this post.

SueW

Reply | Quote

There are several applications within business environments, that depends on flash. I’m not sure, whether it’s changes, but VMware ESX vms are using Flash for admin login form.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

2 users thanked author for this post.

Microfix, columbia2011

Reply | Quote

CraigS26 wrote:

WHAT’s the lingering reason(s) to still be using Flash?

There are still sites that haven’t transitioned away from Flash yet. I run into this with sites library patrons have to go to for pre-outside job training per their prospective employers on a regular enough basis. My favorite webgame, from Japan, is only now in the middle of transitioning from Flash to HTML5, after 5 years, although I use the Android port.

1 user thanked author for this post.

wdburt1

Reply | Quote

This morning WSUS has flash updates for window10, etc. Unlike other WSUS updates I always approve the flash updates and have not had any issues (knock wood).

It’s really easy to push flash updates to windows 7 machine in AD through group policy. You’ll need the msi installer version.

Just like everyone else I’d rather get rid of flash all together but for now it stays until I can devote more time to that.

Red Ruffnsore

Reply | Quote

Have Windows10 Pro x64 v1709
I’m relatively new with Win 10, so if I wanted to manually download and install the Flash update from the catalogue link vs waiting for Patch Tuesday (which will probably be patch July!!!), how do I update from the catalogue??
Step by Step specifics, please.
Thx

Reply | Quote

The Flash Player update for Win10 1709, KB 4287903 dated 6/5/18. is available NOW through Windows Update. If you are not familiar with Catalog download/manual install, I would advise you to install the update through Windows Update.

Reply | Quote

PK thx but will the update come down thru Windows 10 update if I have my update settings at Group #2, Semi-Annual, and Quality Features 14 days?

Reply | Quote

Use wushowhid to see that it’s there and hide anything you don’t want to install first.

I’m set at auto update = 2, SAC, and quality = 0. It shows in my Windows Update. I don’t believe that it is a quality update and it should show up. Just be sure with wushowhide you don’t get 1803.

1 user thanked author for this post.

Seattle27

Reply | Quote

SSUs are only needed for the cumulative updates.  Just download the patch from the catalog and install.  If you have quality set to defer for 14 days, going to “get updates” won’t trigger detection.

Susan Bradley Patch Lady

1 user thanked author for this post.

Seattle27

Reply | Quote

Susan thanks for the additional comments. However what are SSUs?  And as originally requested, please provide newbie step by step installation from the catalogue starting with what gets downloaded and where when I select the Download button, then how to install.

Thx

Reply | Quote

Anonymous #196676-

From what Susan says in her reply just above this one, all you need to do is download the patch and install it on an individual basis. The link to the patch’s spot in the catalog is here.

Once you get there, go to the last one on the list (there are 19 different versions of this patch!!) and you’ll see the one for your version of Windows 10 listed, version 1709 x64. You DON’T want ANY OTHER ONE on the list that may say 64 in it’s title, ONLY the last one at the very bottom of the list.

You’ll see a blue button on the right side of the row for your individual update that says”Download”. Clicking that will bring up a box that will have a blue-colored link to the exact file you need, and the file’s entire name will be the link itself, ending in “.msu”.

Clicking that link should present you with two options: You can either run the .msu installer right then and there, OR you can download the file to a location of your choosing on your computer and run it later at a time of your choosing.

If you choose to download it and run it later, all you need to do is simply double click the file and let it run when you’re ready. From the sounds of Susan’s post above, it doesn’t sound to me like running the patch will go get anything else you don’t want to have (like 1803 for example), it will just install the patch and that’s it.

Reply | Quote

Thank you for the fine detail – seems easy enough.

PK – is there a concern we are missing here?

SSU = Servicing Stack Update???  (Not sure what this is)

Reply | Quote

The Servicing Stack is the Windows Update mechanism. For 1709, the latest is KB 4131372 for Build 16299.431 or KB 4132650 for Build 16299.461. If you update through WU, it is automatically installed first before the Cumulative Update. If you are manually installing, it needs to be installed first.

It should be available through Windows update or downloadable from the Catalog.
Find the Build number of 1709 by typing “winver” (without quotes) in the search box.

Reply | Quote

I just hope Adobe & Microsoft won’t release another new Flash Update this coming Patch Tuesday June 12.

Reply | Quote

What is the concern if they do?

Reply | Quote

As pointed out WU only updates IE based browsers. You must manually update for Firefox based browsers or use their built in updaters.

I am not losing any sleep over this one. If as it says it is distributed by dodgy email and as a flash attachment to Office documents I can relax as I don’t have Office and pretty sure LibreOffice would alert me to this unusual situation. Besides which it would never get through my spam filters (instantly deleted in Mailwasher before it got anywhere else.

I do have one application (Telegraph crosswords) which uses flash with no alternative in sight but in general the use of flash online has decreased enormously in the past year.

 

Reply | Quote

My apologies to go off-topic, but I have been unable to find out how to post an question on the proper forum, when clicking on the “comment…” link the response is, “there is nothing here”.  Can someone please tell me how to post my question?  Many thanks!

Reply | Quote

In which topic are you trying to post?
On the main blog page, clicking on the “Comment on the AskWoody Lounge” link will take you to the right place for comments on that topic.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Is this the post you were trying to make? The topic is Windows 7 Update, Location in the Lounge Windows\Windows 7\Questions Windows 7.

Reply | Quote

Flash is blocked in Office 365 Monthly Channel from this month:

Blocking Flash, Shockwave, Silverlight controls from activating in Office Applications for Security

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

2 users thanked author for this post.

Elly, columbia2011

Reply | Quote

Well it is June 14 and still no sign of the Flash Update in my Windows Download que, guess Susan was correct – with Quality Features set to 14 days it wont detect the update (until 14 days I guess?).

Reply | Quote

That is correct.

If you have Auto Update set to Enabled, =2 (notify download/install) in Group Policy, you can set delay Quality Features = 0. The updates will show up in the queue but won’t download until you click the “Download” button. The computer will search when it starts up and the updates will be visible. (Don’t manually check for updates, that will automatically start the install) If you set metered connections, you can use wushowhide to hide the ones in the queue you don’t want and install the ones you do. There is a trick to that I mentioned here.

Reply | Quote

OK, yes I do have GP setting at 2, so guess I could loosen up on the 14 days.

Regarding wushowhide, say I have items hidden, when I select to unhide them or one item (because I want to install the KB) do they automatically download and install upon exiting wushowhide?  Or since GP is at 2, do they reappear in Windows update queue once again waiting for me to select download and install?

PS not sure why these are not appearing as replies under the reply #

Reply | Quote

To make a reply, click on the “Reply” button on the top line of the post you want to reply to across from the date. Be careful – the words are light and “spam” “trash” and “report” are there too.

In my experience, when you check to unhide in wushowhide, the updates end up in the queue waiting for you to click “download.” I have not had one start downloading automatically. But just to be safe, leave connections on “Metered.”
If they don’t disappear from the queue when you hide them, try the procedure I linked to above.

Reply | Quote