Patches? “We don’t need those stinkin’ Patches”

Yet another Adobe Flash patch is out:

adobe securitybulletin

Here is where they are all located: http://helpx.adobe.com/security.html

Yesterday 2 patches (fixing vulnerabilities found) were released

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.”

http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform.  ”   Priority 2 or 3 depending on platform

You can see that there is no prescribed date for these patches, since  unlike Microsoft Adobe has decided to create patches for vulnerabilities as they come out (especially for critical vulnerabilities.

In case you don’t know Microsoft has decided some time ago to make the 2nd Tuesday of the month  patch Tuesday.  (which was January 13th this month)

So these patches are considered “out-of-band”. because of the large concentration of Microsoft devices this 2nd Tuesday planning for installing new patches has become an industry standard, although that may be changing.

 

Look at the platforms and versions for Adobe Flash:

Product Affected versions Platform Priority rating
Adobe Flash Player Desktop Runtime 16.0.0.257 and earlier Windows and Macintosh 2
Adobe Flash Player Extended Support Release 13.0.0.260 and earlier Windows and Macintosh 2
Adobe Flash Player for Google Chrome 16.0.0.257 and earlier Windows, Macintosh and Linux 2
Adobe Flash Player for Internet Explorer 10 and Internet Explorer 11 16.0.0.257 and earlier Windows 8.0 and 8.1 2
Adobe Flash Player 11.2.202.429 and earlier Linux 3

The landscape is fragmenting with more people running mobile Operating systems, although the 2nd Tuesday patch timing may be with us security folks for some time to come.

 

Of these 2 vulnerabilities, the first one (apsa15-01) has a critical nature to it. If you do click on malware or run across a website that takes advantage of the vulnerability your machine will run whatever the criminal hacker has in store for you. (viruses, ransomware, key loggers, adware, or something new)

cryptowall2.0message this is the message for cryptolocker2.0 ( a client was unfortunate to have encountered this) lost most files…

 

Right now Cryptolocker3.0 is the bad guy on the block, so if you have an old version of Adobe Flash, then you are susceptible to getting hacked and then all your files will be encrypted. How about having to pay for getting the “right to use your files” to the tune of $500. And sometimes that is not even in the cards, as the anonymous methods of payment do not always work. It is also curious… the criminal hacker does not have tech support in case his decryption method  or payment method does not work. So pretty much you better have a backup of your files. Otherwise you can start from scratch to rebuild stuff.

cryptolocker3-0   the payment and contact is through I2P an anonymous network, making it very difficult for authorities to catch these criminals.

So yes the patches do matter – when will you patch?

 

There are of course more than just the Adobe Flash “out-of-band” patches:

Oracle came out with its patch rollup:

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html    the POODLE fix is in here, there are many(169) software patches for different versions of Oracle Products.

This Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.”

Google paid $88.5k in bounties as security researchers found flaws in Chrome. So version 40 is now here.  Patched 62 security flaws.

http://www.esecurityplanet.com/browser-security/google-pays-big-bug-bounties-in-chrome-40-fix.html

Here is an interesting paragraph:

In contrast, Microsoft has yet to provide a single security patch for its Internet Explorer browser in 2015, while Mozilla’s Firefox 35 had nine security advisories attached to it.”

 

I am sure there is more coming for Microsoft on February 10th (2nd Tuesday)

If you only have a certain number of resources then be judicious of which patches to implement first, like the critical nature patches which can take over your machine.

So my headline of Patches, “I don’t need those stink’ patches” (stems from movie: Blazing Saddles) is of course the opposite of what needs to be done.  The trick is to implement correctly, test the patch in your environment and then implement to production systems in a reasonable amount of time.

wedontneednostinkingbadges

In the meantime… be careful out there.

 

 

 

1 thought on “Patches? “We don’t need those stinkin’ Patches””

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.