Security Garden

Tuesday, November 25, 2014

Adobe Flash Player Out of Band Critical Security Update

Tweet This

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player.  The updates address a critical bug and includes security fixes, particularly improving the security mitigation that was introduced in the October 14th release of APSB14-22.

Affected software versions

  • Adobe Flash Player and earlier versions
  • Adobe Flash Player and earlier 13.x versions
  • Adobe Flash Player and earlier versions for Linux

Update Information

The newest versions are as follows:
ActiveX for IE and Macintosh version:
Release date: November 25, 2014
Vulnerability identifier: APSB14-26

CVE number: CVE-2014-8439
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

Note:  At the time of this posting, the direct download links have not been updated!  The direct download links are now available.

    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, November 20, 2014

    Fake Tech Support Scams

    Tweet This

    Fake Tech Support Scam

    Although not all of the fake tech support callers misrepresent that they are calling on behalf of Microsoft, claiming to represent Microsoft or Windows is most commonly used in such calls.  Scammers also claim to represent other vendors such as Dell, McAfee and Norton.

    Two operations working out of the state of Florida have conned tens of thousands of consumers out of more than $120 million through their deceptions.  The FTC and state of Florida obtained a federal court orders to shut down those two operations for deceptively marketing computer software and tech support services. The court orders have additionally placed a temporary freeze on the defendants’ assets and have placed the businesses under the control of a court-appointed receiver.

    As welcome as the FTC action is, fake tech support scams have been harassing people since early in 2009 and this is not the end of it.  As I recommended over two years ago:
    Should you receive an unsolicited telephone all from someone purporting to be from Microsoft (or any other vendor), the best advice is to just hang up! Microsoft does not make this type telephone call.
    There are also people who try to keep these cybercriminals on the telephone in order to not only waste their time but also to keep them tied up so they are not calling someone else who may not realize the caller is a scammer.  Microsoft recently published an online form to Report a technical support scam.  By supplying as much of the information as possible requested on the form, you will be assisting both Microsoft and law enforcement agencies in stopping these cybercriminals.  


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, November 18, 2014

    Microsoft Out-of-Band Critical Security Update

    Tweet This

    One of the security updates that was delayed in the regular patch cycle last week has been released.

    MS14-068 is a critical update that addresses a vulnerability in Kerbeos that could allow elevation of privilege.  Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability.

    As described in the security bulletin:
    "An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only."


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...