To their credit, Adobe is reacting swiftly to the recent outbreak of critical vulnerabilities in Flash. They just released another new version (16.0.0.305) to address vulnerability CVE-2015-0313, which is being actively exploited on the Internet.
Anyone using Flash, especially in a web browser, should install the new version as soon as possible.
Internet Explorer for Windows 8.x and Google Chrome will see related updates in the very near future.
So far there is no patch from Adobe, although one is expected this week. As always, disable flash in your browser if you don’t need it, exercise great care in web browsing if you need Flash, and configure Flash browser plugins as ‘Ask to activate’ where possible.
Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.
Anyone using a web browser with Flash enabled should install the new version as soon as possible.
SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:
“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”
The Infocon rating is displayed in the left sidebar of this web site.
On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.
SANS has a useful summary of the recent updates and vulnerabilities related to Flash.
Even up to date installations of Flash are currently vulnerable to a new zero-day exploit that’s showing up in the wild. The exploit has already been added to at least one exploitation kit, which means attacks using this exploit are likely to increase rapidly. The exploit can be used to gain unauthorized access to affected computers.
Anyone using a web browser with Flash enabled should be extremely cautious when browsing web sites not known to be safe. The safest course of action is to disable Flash in your browser.
I personally use Firefox with Flash enabled, but I have the Flash add-on configured to always ‘Ask to activate’. That way any time I visit a web site that wants to display Flash content, I can avoid any danger by leaving Flash disabled for that site.
The latest version of Google’s web browser includes the latest version of Flash (16.0.0.257) as well as some other bug fixes. Anyone using an older version of Chrome should update to version 39.0.2171.99 as soon as possible.
As usual, Google Chrome will update its embedded Flash automatically, and updates for the embedded Flash in Internet Explorer on Windows 8.x will be available via Windows Update.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
As expected, Google just announced a new version of Chrome with the latest embedded Flash. Version 39.0.2171.95 also includes fixes for a few minor issues. Aside from the Flash update, none of the changes appear to be related to security.
As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.
The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.
boot13