Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Adobe Flash Player Update Released, Fixing CVE 2015-0313 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Flash Player Update Released, Fixing CVE 2015-0313

An update has been released for Adobe Flash that fixes according to Adobe the recently discovered and exploited vulnerability CVE-2015-0313. Currently, the new version of Flash Player is only available as an auto-install update, not as a standalone download. To apply it, you need to check for updates within Adobe flash. (personal note: on my Mac, I have not seen the update offered yet).

The new Flash player version that fixes the problem is 16.0.0.305. The old version is 16.0.0.296.

Adobe updated its bulletin to note the update: https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3508 Posts
ISC Handler
Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens. I've been Flash free for about a week, and have had a surprisingly good experience other than a few news sites that insist on using Flash for video. I manage my security devices via their management program, and their formerly Flash dependent web interface is not in Flash anymore.

A few year ago, I could not have done this for this long. I realize others are not there.

I'm just worried these jerks have a stack of zero days that they're holding back for release. Having the world as your oyster for 10 odd days must really make these guys happy. Anyway, time will tell.

Yes, I'm jaded, but the eventual death of Flash is imminent. I will be doing everything in my power to help that process along. Boycotting Flash will force the web sites using it to change. Also, shame on these advertising server farms as you are wrecking havoc with your lax policies.
pdawg

7 Posts
Quoting pdawg:Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens.


Well, keep the "update" button handy... As said in earlier posts this is the "new preferred" methodology of attacks. As you see "cup of joe" (java) attacks reduce, these WILL continue. <sigh>

Of course this would change if ALL, repeat ALL software distribution organizations actually did better testing. We have seen this with MS and their past failed update record. Sad, if we wrote code for a company, how long do you think we would have a seat?

Quote: Boycotting Flash will force the web sites using it to change.


Good luck with that!!!

P.S. Dr. "J" time to update the Sonic Wall information???

ICI2I
ICI2I

63 Posts
Anyone else seeing the update distribution site for the UK has the latest but the US version still has *.296?
TobySimmons

7 Posts
APSB15-04 is up, but not linked on the Security page. No sign of the binaries yet.
TobySimmons
3 Posts
I just ran the adobe stub installer, making sure to uncheck the boxes for the junkware, and grabbed the stand-alone installer from the pcaps I made when the stub installer was running. Now I have something to deploy to the rest of my users. Going by hand to 70 workstations and running the stub installer just isn't going to happen.
R

33 Posts
I'm dreaming of a Flash free world though it's going to take a while I will admit. Who's going to budget for rewriting a web site done 8 years ago?

I've tried to go Flash free in the past, and this is the longest I've ever made it. I don't really care about it anymore. I had to reimage one of my fully patched PCs back in late December after using Internet Explorer(Up to date)very briefly where I don't run all of the ad blocking stuff that I run on my main browser. After analyzing my security, Flash was the only culprit or some other unknown IE exploit that could have possibly done it. I have further locked down things even tighter since then.

Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.
pdawg

7 Posts
While the Adobe Flash Player distribution page is touting 16.0.0.296, the files that are available are actually 16.0.0.305 for both the EXE and MSI packages. Download away!

- Snuffy -
Snuffy

4 Posts
Adobe released a new security advisory for Flash Player -
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

The advisory indicates this latest version addresses CVE-2015-0313 through CVE-2015-3030 inclusive.
That's 18 CVE's!
toymaster

13 Posts
Quoting pdawg:Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.


Great idea or Onion... Shut down.. Poof.. gone! :o
ICI2I

63 Posts
Note: Adobe did it again!!!

http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe provided the latest 16.0.0.305 uninstaller.

while telling on their download page for Flash it has been updated to 16.0.0.305, they still deliver 296 in the *.exe files, version with holes not fixed. only the *.msi contain the updated .305 update.

http://www.adobe.com/products/flashplayer/distribution3.html

Just tested - this is simply not acceptable.
ELBE

13 Posts
Quoting ELBE:Note: Adobe did it again!!!Just tested - this is simply not acceptable.[/quote]

@Elbe.. once I whacked ALL Flash using a program that removes everything from the system, no issues here. But then again, no telling what aDOPEY is doing, as we know some time back they had a problem aligning all their updates. Are we having fun yet?? :@
ICI2I

63 Posts
Goodbye Flash, but brace yourself for the upcoming flood of similar flaws in HTML 5 implementations.
jbmartin6

20 Posts
Quoting jbmartin6:Goodbye Flash, but brace yourself for the upcoming flood of similar flaws in HTML 5 implementations.


Yep.. and a whole new level of ignorance to follow...
ICI2I

63 Posts
Hi, long time listener, first time poster :-)
I have been hearing that some are having problems obtaining the standalone msi installer for flash for updating.
The following two links are for direct downloading the msi's for ActiveX and Plugin from Adobe:
http://fpdownload.adobe.com/get/flashplayer/current/licensing/win/install_flash_player_16_active_x.msi
http://fpdownload.adobe.com/get/flashplayer/current/licensing/win/install_flash_player_16_plugin.msi
In the past, when there is a major version change (i.e. 15 -> 16), just change the value in the url link.
I hope this helps people.
Cheers,

Ron Cullen
Hobart, Tasmania
Australia.
Ron Cullen

1 Posts

Sign Up for Free or Log In to start participating in the conversation!