Patch Tuesday, 2016 U.S. Election Edition

Let’s get this out of the way up front: Having “2016 election” in the headline above is probably the only reason anyone might read this story today. It remains unclear whether Republicans and Democrats can patch things up after a bruising and divisive election, but thanks to a special Election Day Patch Tuesday hundreds of millions of Adobe and Microsoft users have some more immediate patching to do.
As the eyes of the world stayed glued to screens following the U.S. presidential election through the night, Microsoft and Adobe were busy churning out a large number of new security updates for WindowsMS OfficeFlash Player and other software. If you use Flash Player or Microsoft products, please take a deep breath and read on.
brokenwindows
Regularly scheduled on the second Tuesday of each month, this month’s “Patch Tuesday” fell squarely on Election Day in the United States and included 14 patch bundles. Those patches fixed a total of 68 unique security flaws in Windows and related software.
Six of the 14 patches carry Microsoft’s most’s-dire “critical” label, meaning they fix bugs that malware or miscreants could use to remotely compromise vulnerable PCs without any help from users apart from maybe visiting a hacked or malicious Web site.
Microsoft says two of the software flaws addressed this week are already being exploited in active attacks. It also warned that three of the software vulnerabilities were publicly detailed prior to the release of these fixes – potentially giving attackers a head start in figuring out how to exploit the bugs.
MS16-129 is our usual dogs breakfast of remote code execution vulnerabilities in the Microsoft Edge browser, impacting both HTML rendering and scripting,” said Bobby Kuzma, systems engineer at Core Security. “MS16-130 contains  a privilege escalation in the onscreen keyboard function from Vista forward. That’s great news for anyone running touchscreen kiosks that are supposedly locked down.”
As part of a new Microsoft policy that took effect last month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). 
brokenflash-aIt’s important to note that several update types won’t be included in a rollup, including those released for Adobe Flash Player on Tuesday. For the second time this month, Adobe issued a critical update for its ubiquitous Flash Player browser plugin. The newest Flash version — v.  23.0.0.207 and available here for both Windows and Mac computers — plugs at least nine more flaws in Flash. To see if you have Flash installed and if so what version is running, check this link.
Google users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.
Somehow KrebsonSecurity neglected to mention the other critical update Adobe pushed for Flash on Oct. 26, 2016 (my bad folks, sorry). It’s really hard to keep up with Flash updates sometimes. That’s part of the reason I’ll continue to encourage readers to disable or remove Adobe Flash unless until it is needed for something specific. Fewer sites now require it, and leaving this buggy, powerful program enabled all the time is just asking for security trouble. Check out the advice at A Month Without Adobe Flash Player for tips on how to hobble or do without Flash entirely.
Indeed, Google reportedly is planning to phase out full support for Flash on its Chrome browser by the end of 2016. And Mozilla is now blocking certain Flash content deemed “not essential to the the user experience.” Specifically, as stated by Mozilla’s Benjamin Smedberg, Mozilla Firefox is blocking specific Flash content that is invisible to users.
“This is expected to reduce Flash crashes and hangs by up to 10%. To minimize website compatibility problems, the changes are initially limited to a short, curated list of Flash content that can be replaced with HTML,” Smedberg wrote back in June. “We intend to add to this list over time.”