For today’s Patch Tuesday, Microsoft released seven bulletins (a surprise after only announcing five last week) and Adobe released one.
There are four critical advisories, to me the most important of which is MS14-010 affecting Internet Explorer versions 6 through 10.
This patch fixes 24 vulnerabilities, one of which has been publicly disclosed.
Considering that 22 of these vulnerabilities can lead to remote code execution, this fix is priority one.
MS14-007 is a flaw in the Direct2D graphics engine in Windows 7 through 8.1, including RT.
It is also related to Internet Explorer and could result in a malicious web page exploiting this flaw to achieve remote code execution.
The last major one to look out for is MS14-011, flaws in the VBScript interpreter affecting Win XP through 8.1 (RT inclusive) and Internet Explorer versions 8 through 11.
Server editions have mitigation implemented through blocking active scripting inside Internet Explorer, but expediting this fix is still recommended.
The fourth critical flaw is a remote code execution flaw in Forefront for Exchange, while the three important vulnerabilities are in XML, .NET and the Windows IPv6 stack.
Adobe’s fix is for the Shockwave Player and resolves two critical remote code execution vulnerabilities.
In addition to recommending that you remove Shockwave if you have it installed, there is another reason to avoid it.
Adobe seems to think that its job includes trying to force you to install unwanted applications along with its plugins.
In my case it tried to “opt me in” to installing Chrome. It is a dodgy practice to bundle other applications by default and even worse practice when someone is downloading a security update.
Shame on you Adobe.
For those who want to download Shockwave without the bundleware you can go to the Adobe alternates download page.
9 comments on “Internet Explorer, .NET, IPv6 and Shockwave top the February 2014 Patch Tuesday list”
The most important part is left out… Does this mean that Adobe prefer’s Chrome’s built in Pepperflash to it’s own flash process?
Is PepperFlash better?
They are largely the same, It is a nice irony though, isn’t it?
Adobe alternates page. You are joking, right. No mention of Windows 7 and the flash requirements are Windows2000XP/Vista.
Same plugin for modern versions of Windows. Don’t complain to us, contact Adobe.
Such practices are often known as ‘foistware’ and Adobe are not the only culprits. And they have been around for a very long time. Everyone should check every, yes every, install offered to untick the foistware box. That usually means not allowing automatic downloads and installs else you get lumbered with the foistware and have to uninstall it, with all the attendant risks and troubles that has. So you have to be diligent at checking for all updates, making sure they don’t install what you don’t want/need and then updating manually.
I’ve been doing it that way for over 20 years and it works if you are diligent.
Chester and I discussed this very issue (and described a foistware avoidance technique for Flash 🙂 in this week’s Chet Chat podcast…
So Naked Security recommends uninstalling Shockwave? Isn’t needed for many websites? Are their more secure alternatives?
HTML5 is the shockwave killer. How much removing it hits you probably depends on what kind of websites you visit – I can’t remember the last website I went to that used Shockwave (or at least I haven’t heard my laptop fan trying to spin off its bearings for a while).
Hasn’t been widely used since around 2000. Don’t confuse Flash with Shockwave (Sometimes Flash is called Shockwave Flash from back in the Macromedia days).
What I always tell people (same with Java) is remove it. If you are then prompted to install it because sites you use require it, you can always reinstall it.