My next class:

Adobe Flash Player Update Released, Fixing CVE 2015-0313

Published: 2015-02-05. Last Updated: 2015-02-05 00:16:04 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

An update has been released for Adobe Flash that fixes according to Adobe the recently discovered and exploited vulnerability CVE-2015-0313. Currently, the new version of Flash Player is only available as an auto-install update, not as a standalone download. To apply it, you need to check for updates within Adobe flash. (personal note: on my Mac, I have not seen the update offered yet).

The new Flash player version that fixes the problem is 16.0.0.305. The old version is 16.0.0.296.

Adobe updated its bulletin to note the update: https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: 0day adobe cv20150313
14 comment(s)
My next class:

Comments

Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens. I've been Flash free for about a week, and have had a surprisingly good experience other than a few news sites that insist on using Flash for video. I manage my security devices via their management program, and their formerly Flash dependent web interface is not in Flash anymore.

A few year ago, I could not have done this for this long. I realize others are not there.

I'm just worried these jerks have a stack of zero days that they're holding back for release. Having the world as your oyster for 10 odd days must really make these guys happy. Anyway, time will tell.

Yes, I'm jaded, but the eventual death of Flash is imminent. I will be doing everything in my power to help that process along. Boycotting Flash will force the web sites using it to change. Also, shame on these advertising server farms as you are wrecking havoc with your lax policies.
[quote=comment#33245]Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens. [/quote]

Well, keep the "update" button handy... As said in earlier posts this is the "new preferred" methodology of attacks. As you see "cup of joe" (java) attacks reduce, these WILL continue. <sigh>

Of course this would change if ALL, repeat ALL software distribution organizations actually did better testing. We have seen this with MS and their past failed update record. Sad, if we wrote code for a company, how long do you think we would have a seat?

[quote] Boycotting Flash will force the web sites using it to change.[/quote]

Good luck with that!!!

P.S. Dr. "J" time to update the Sonic Wall information???

ICI2I
Anyone else seeing the update distribution site for the UK has the latest but the US version still has *.296?
APSB15-04 is up, but not linked on the Security page. No sign of the binaries yet.
I just ran the adobe stub installer, making sure to uncheck the boxes for the junkware, and grabbed the stand-alone installer from the pcaps I made when the stub installer was running. Now I have something to deploy to the rest of my users. Going by hand to 70 workstations and running the stub installer just isn't going to happen.
I'm dreaming of a Flash free world though it's going to take a while I will admit. Who's going to budget for rewriting a web site done 8 years ago?

I've tried to go Flash free in the past, and this is the longest I've ever made it. I don't really care about it anymore. I had to reimage one of my fully patched PCs back in late December after using Internet Explorer(Up to date)very briefly where I don't run all of the ad blocking stuff that I run on my main browser. After analyzing my security, Flash was the only culprit or some other unknown IE exploit that could have possibly done it. I have further locked down things even tighter since then.

Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.
While the Adobe Flash Player distribution page is touting 16.0.0.296, the files that are available are actually 16.0.0.305 for both the EXE and MSI packages. Download away!

- Snuffy -
Adobe released a new security advisory for Flash Player -
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

The advisory indicates this latest version addresses CVE-2015-0313 through CVE-2015-3030 inclusive.
That's 18 CVE's!
[quote=comment#33257]Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.[/quote]

Great idea or Onion... Shut down.. Poof.. gone! :o
Note: Adobe did it again!!!

http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe provided the latest 16.0.0.305 uninstaller.

while telling on their download page for Flash it has been updated to 16.0.0.305, they still deliver 296 in the *.exe files, version with holes not fixed. only the *.msi contain the updated .305 update.

http://www.adobe.com/products/flashplayer/distribution3.html

Just tested - this is simply not acceptable.

Diary Archives