Results 1 to 11 of 11
  1. #1
    iNET Interactive
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    704
    Thanks
    11
    Thanked 68 Times in 53 Posts

    New attacks on Windows' secondary components




    PATCH WATCH

    New attacks on Windows' secondary components


    By Susan Bradley

    July's security updates target vulnerabilities in Windows Journal, DirectShow, On-Screen Keyboard and other supporting components. But the bulk of July updates, once again, consists of nonsecurity fixes for all current versions of Office and their associated applications.

    The full text of this column is posted at windowssecrets.com/patch-watch/new-attacks-on-windows-secondary-components/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by Kathleen Atkins; 2014-07-09 at 18:58.

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,311
    Thanks
    139
    Thanked 114 Times in 98 Posts
    With Flash Player, only the Windows 8 editions of IE 10 and IE 11 get their Flash Player updates from Microsoft Updates. On Win7 and lower, IE 10 and IE 11 use the IE Flash Player installer from Adobe, just like everyone else. Starting with Flash Player 14.0.x it is necessary to run the Flash Player uninstaller before running the Flash Player installer to update the Active-X (IE) version. Firefox uses the non-IE Flash Player installer. I don't recall having to do an uninstall before updating for Firefox. Chrome in all versions uses PepperFlash, which is updated automatically with each new release of Chrome, but must be manually extracted and installed for Chromium. Firefox for Linux uses the NPAPI (Netscape Protocol) Flash Player Plugin from Adobe, which has not been version-updated for Linux in some time, resulting in functional and security issues.

    As of April 29, 2014, Chrome and Chromium for Linux no longer support the Netscape Protocol (NPAPI) Plugins (the ones Firefox uses). So users MUST use PepperFlash in Linux. (Mac and Windows protocols will be changed over in an upcoming Chrome update.) For Linux users, this may involve a convoluted double-download, in which the Chrome Installer is downloaded, PepperFlash is extracted, and the Pepper Plugin is transferred to the appropriate Chromium areas. Ubuntu will update PepperFlash in a single step, from the Ubuntu Software Centre. So far, as of this posting, PepperFlash for Linux has not been updated to Version 14.0.0.145. Expect this to happen soon Linux users. Windows and Mac users have already seen the update.
    Last edited by bobprimak; 2014-07-10 at 15:37.
    -- Bob Primak --

  4. #3
    Lounger PamS's Avatar
    Join Date
    Dec 2013
    Location
    North Carolina
    Posts
    33
    Thanks
    20
    Thanked 0 Times in 0 Posts
    One update that I got that is not mentioned in this newsletter is KB2973351. For now I am putting it on hold until someone tells me whether it is safe to install or not. Thanks!

    Pam

  5. #4
    2 Star Lounger JC Zorkoff's Avatar
    Join Date
    Dec 2009
    Location
    Boston, Massachusetts, USA
    Posts
    126
    Thanks
    11
    Thanked 14 Times in 14 Posts
    Quote Originally Posted by bobprimak View Post
    Starting with Flash Player 14.0.x it is necessary to run the Flash Player uninstaller before running the Flash Player installer to update the Active-X (IE) version.
    I don't know where you got this information, but I have installed Flash Player 14.0.0.125 and 14.0.0.145 for both IE and Firefox on top of the old version for both Windows 7sp1 and 8.1.1. I have never uninstalled any version of Flash.

    YMMV

  6. #5
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,780
    Thanks
    84
    Thanked 343 Times in 309 Posts
    Quote Originally Posted by PamS View Post
    One update that I got that is not mentioned in this newsletter is KB2973351. For now I am putting it on hold until someone tells me whether it is safe to install or not. Thanks!

    Pam
    That's a minor update to a recent security update, and it's only relevant to enterprise IT administrators using Remote Desktop Protocol to connect to servers within a domain.

    It's related to KB2871997 which Sue covered on May 15, 2014:

    > What to do: Home-network users — or anyone who doesn’t sign into a domain — can pass on KB 2871997. Those who do sign into a corporate domain should install the update when offered.

    Details of the May update and its July update are at Update to Improve Credentials Protection and Management.

    Perhaps Susan Bradley will remember to address KB2973351 sometime soon as it will apparently be offered to all Windows 7 and Windows 8 users.

    (I installed this update three days ago and have not noticed any adverse consequences; but I always install all updates immediately and I haven't used RDP on a domain lately.)

    Bruce
    Last edited by BruceR; 2014-07-11 at 11:55.

  7. #6
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    225
    Thanks
    0
    Thanked 54 Times in 34 Posts
    Yup I'll cover it at the end of the month.

  8. #7
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    225
    Thanks
    0
    Thanked 54 Times in 34 Posts
    (Thanks to Daniel Porterfield)

    Issue with MS14-039 Patch Breaks Tablet PC Input Panel Keyboard (KB2973201)
    http://marc.info/?l=patchmanagement&...1874606644&w=2

    After installing KB2973201 the Tablet PC Input Panel keyboard can not be moved with a stylus or touch input. It can be moved with a mouse. Of course, this makes the keyboard extremely difficult to use at all in any normal touch or stylus context.

    KB2973201 is the Windows Update KB number for an Important rated security vulnerability, MS14-039, which resolves a vulnerability that could allow privilege escalation. This patch was released to the public July 8, 2014.

    https://technet.microsoft.com/library/security/ms14-039

    To be clear, this is not the on-screen keyboard opened in accessibility options (or by searching for OSK). It is the keyboard opened from the "Tablet PC Input Panel" (or by searching Tablet PC Input Panel).

    The patch can be uninstalled using the following elevated command line or powershell. Uninstalling brings back the expected behavior of this keyboard after restarting.

    wusa /uninstall /kb:2973201



    https://community.flexerasoftware.co...oft-KB-2962872
    We are actively investigating the incompatibility of many versions of InstallShield with Microsoft's recent security update to IE (KB 2962872). At this point it is not yet fully clear whether the root cause is our existing code or Microsoft's update. Once we identify the root cause, we expect to offer an update to address this issue. Internally we are tracking this issue under number IOJ-1662902. If you ensure that your support engineer adds your report there, we can notify you when new information is available. Alternately you can subscribe to this thread, as I will post further updates here.

    None of the currently known workarounds are acceptable long term, but they include:

    Uninstalling KB 2962872 (there are reports of cases where this did not help)
    Emptying the content of several inline help .htm files (the IDE will still crash on close, but is usable in the mean time)

  9. #8
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,311
    Thanks
    139
    Thanked 114 Times in 98 Posts
    Quote Originally Posted by JC Zorkoff View Post
    I don't know where you got this information, but I have installed Flash Player 14.0.0.125 and 14.0.0.145 for both IE and Firefox on top of the old version for both Windows 7sp1 and 8.1.1. I have never uninstalled any version of Flash.

    YMMV
    This is my experience on only one laptop.

    IE 11 on Windows 7 SP1 did not allow the Flash Player plugin installer to run until I ran the Flash Player uninstaller. This was also indicated when a popup came up saying the Flash Player Installer had to stop and that I had to run the Flash Player Uninstaller to get the installer to run. This has happened with all versions of Flash Player for IE 11 on this computer since 14.0.0.x.

    I do not know of anything unusual about my installation. I originally got IE 11 through Microsoft Update, and did not remove the previously installed IE10 on this laptop.

    The only thing which might possibly be a difference is that I run Avast Free Antivirus on this laptop. Avast does protect certain System Files.

    UPDATE: For Linux users (Chrome or Chromium Browsers) -- As of this posting, Google has not posted any intentions to update Pepper Flash for Linux. I don't find any explanation, but for Linux users there appears to be no forthcoming Pepper Flash 14.0.0.145 update. The end of Netscape Protocol Plugins (NPAPI) for Linux Chrome/Chromium users is scheduled for Chrome/Chromium 35, which should be out in a few weeks.
    Last edited by bobprimak; 2014-07-11 at 21:22.
    -- Bob Primak --

  10. #9
    2 Star Lounger JC Zorkoff's Avatar
    Join Date
    Dec 2009
    Location
    Boston, Massachusetts, USA
    Posts
    126
    Thanks
    11
    Thanked 14 Times in 14 Posts
    Quote Originally Posted by bobprimak View Post
    The only thing which might possibly be a difference is that I run Avast Free Antivirus on this laptop. Avast does protect certain System Files.
    Avast could indeed be the answer. I also use Avast AV along with Online Armor Firewall, but I always disable them whenever I do any installations. This is so easy by just using the right click on the Tray Icons of each.

  11. #10
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,311
    Thanks
    139
    Thanked 114 Times in 98 Posts
    Regarding Linux Chromium Pepper Flash player update to version 14.0.0.145:

    I found a method which I refined to extract the needed files from the Chrome for Linux Beta rpm installer and get those files where Chromium uses them. Thus, the actual version of pepper Flash in the revised Chromium will advance and provide the security fixes, but the browser when polled (chrome : plugins) will still display version 14.0.0.125 as the current version.

    This is false, as when tested at the three Adobe official Flash Player test pages, the version returns as 14.0.0.145. Which is exactly what it is supposed to be.

    The extraction process is a bit complex, but not out of the ordinary for experienced Linux users. I posted my find and my Ubuntu specific mods to the Google blog about this Chrome Pepper Flash update: HERE .

    At present, this may be the best Linux Chromium users can do. At issue is the Chrome Component Update process, which Chromium for Linux does not participate in at this time under Versions 34 and 35.

    Update
    : My method was incomplete. There's one last cosmetic step to take.

    Using any Editor with Root privileges, edit /usr/lib/pepflashplugin-installer/pepflashplayer.sh to read the current version where listed in the file. It only appears once, and it's a short file. Now everything's in sync and up to date.

    Chromium now displays in "chrome : plugins" the .145 version number. When tested at the three Adobe Test Pages, the Pepper Flash version was revealed to be the .145 upgrade, just as it should be. All security requirements should now be met, and Chrome itself knows it has had the update

    New Update: As of July 16, 2014, my Chromium for Ubuntu Linux got an update for Pepper Flash Plugin through the Ubuntu Updater. So I guess they finally got the Linux Pepper Flash up to date -- fully ten days after the security issue was first revealed. Pretty slow, if you ask me.
    Last edited by bobprimak; 2014-07-17 at 07:05.
    -- Bob Primak --

  12. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,780
    Thanks
    84
    Thanked 343 Times in 309 Posts
    Quote Originally Posted by SusanBradley View Post
    Yup I'll cover it at the end of the month.
    Which month?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •