It was a massive patch Tuesday this week. We got patches for show-stopping flaws from Microsoft, Oracle, Google, and Adobe.
Let's start with Microsoft, who released eleven security updates. Microsoft applied its most serious rating of "critical" to four security holes this month. These remote code execution flaws impact Windows, Internet Explorer, and Office. The Office issue applies to Word, incuding Word for Mac, so our Office Mac users definitely want to update, as well.
Microsoft's remaining seven updates are marked as "important" and cover the gamut of security threats, including privilege escalation, information disclosure, and a denial of service. As I've noted before, despite the lower ranking of privilege escalation flaws, you don't want to underestimate their impact. Attackers are not above chaining exploits to compromise a machine.
Adobe pushed out an update to Flash that closed off a whopping twenty-two vulnerabilities. Due to the cross-platform nature of Flash this security update applies to Windows, Mac, and Linux. I've pointed out the absurd update design of Flash in the past. I keep hoping Adobe will focus some resources on fixing this confusingly complex situation. Since it hasn't yet, let's walk through the mine field one more time.
Flash for Internet Explorer on Windows 8, 8.1, 2012, and 2012 R2 can only be obtained from Microsoft and Windows Update. If you need the manual updates for these operating systems, you can find them here. Meanwhile, for Internet Explorer and Firefox on older versions of Windows, Safari and Firefox on the Mac, and Firefox on Linux, you'll want to grab the updater from Adobe.
Remember, the update tools for Windows treat Flash for IE and Firefox differently. There is no joint update tool, and you must update each browser individually. If you want to uninstall the old version before updating to the latest version, here is the Adobe tool for Windows and Mac.
You don't want to delay on this Flash update, folks. The bad guys are already taking advantage of the ad bidding process with networks like DoubleClick to exploit these recently patched holes in Flash. They're using these vulnerabilities to infect victims with crypto ransomware.
Google also makes our list this week with the release of Chrome 42.0.2311.90. This update brings forty-five security fixes to the table. Chrome has a built-in version of Flash and thus isn't part of the update dance I listed above. Presumably, this Chrome update also closes off the newly disclosed Flash vulnerabilities. Remember that you can force Chrome to update by clicking the three horizontal lines by the address bar and select 'About Google Chrome.'
Finally, Oracle's release of Java version 8 update 45 closes off fourteen vulnerabilities, all of which are remote code execution flaws. Security problems of this scope with Java have moved out of the realm of shocking and into the depressingly common. Java is the second most exploited software on the web, behind only cross-site scripting flaws in web applications. Unless Java is mission critical for an application you use, I strongly recommend you uninstall it. You can remove Java in Windows through 'Program and Features' in the Control Panel. After Java's uninstalled, there are some third-party tools like JavaRA that can clean out the small bit of remaining cruft.
If your use of Java is limited to local applications like Minecraft, make a point of disabling the Java browser plug-in. That seemingly small step is actually a big help at mitigating much of the risk from Java.
Like Adobe with Flash, Oracle and former owner Sun have a nasty history of pushing crapware through their web-based installer. I recommend grabbing the offline installer instead.