|
For those of you who are loosing track, yet another Adobe Flash vulnerability has been unleashed on their unsuspecting users. I am sure we all know the wording off by heart now, but incase: Vulnerability identifier: APSA15-02 CVE number : CVE-2015-0313 Platform: All Platforms Quote: "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. " Many thanks to MJ for the heads up: 1. https://helpx.adobe.com/ Steve Hall ISC Handler www.tarkie.net |
Stephen 89 Posts Feb 2nd 2015 |
| Thread locked Subscribe |
Feb 2nd 2015 7 years ago |
|
I've updated the IE out of date active x blocking custom manifest repo to mark 16.0.0.296 unsafe https://github.com/mallorybobalice/ie-custom-oob-xml-rules
If anyone wants to try using it this time: -Readme is in the repo along w deployment hints and pre-reqs -in default deployment it's disableable click to play for versions marked unsafe (excl trusted sites and intranet) (OK not so much click to play but allow all on site (page?) x) -let's hope ms will accelerate including out of date flash there on their own (into the auto update version) and soon. Lately they've been using it for Java 7 with no recent public exploits so yea |
Mallory Bobalice 28 Posts |
| Quote |
Feb 2nd 2015 7 years ago |
|
Having read last week--with great pleasure--that YouTube/Google tipped the balance to HTML5 by making it default, this weekend I installed Firefox 36 beta (the final browser providing support for EME DRM), uninstalled Flash plug-ins from all systems, and disabled Flash in IE via Group Policy. Today I smiled a few times and wrote this comment and one other. Time to consign Flash to the dustbin. Good riddance!
|
Starlight 34 Posts |
| Quote |
Feb 3rd 2015 7 years ago |
|
I agree this series of Flash zero days was the straw that broke the camel's back as far as I'm concerned. I've eliminated in my environment, and other than seeing a few missing ads it's been no problem. Now, I have to convince my clients to do it which is going to be be difficult as Flash has been part of the landscape for so long.
Actually, I think these guys possibly have a series of zero days lined up so we are going to be on the emergency Flash update scramble for a while. Why do I think this? First, Adobe Flash consistently has one of the worst track records of all time of severe flaws which Adobe cannot seem to even get a handle on it. Second, this group seems very adept a finding or obtaining Flash Zero days. Kudos to Google/Firefox and HTML5 for helping to lay the foundations for the total elimination of Adobe Flash. Steve Jobs, yet again, proved he was a true visionary for refusing to allow Flash on iOS. My hat's off you Steve(R.I.P) for taking point on ridding the world of Flash. |
pdawg 7 Posts |
| Quote |
Feb 3rd 2015 7 years ago |
|
Man, that must be nice.
Cisco requires Java to run some of their GUI config tools. Our web filters require Flash and/or Java to manage. Then there are other high priority or even business-critical systems that also require these relics, of course. But it's the management interfaces from *security* companies that still require these dang things that boggles my mind. |
Jaybone 27 Posts |
| Quote |
Feb 3rd 2015 7 years ago |
|
Cisco requires Java. . .our web filters require Flash. . .
No doubt Java and Flash will be required for some time. Oracle fixed Java primarily by imposing strong certificate authentication or explicit sysadmin exceptions for all Java code conceding that promiscuous execution was no longer viable. Perhaps now Adobe will follow suit to protect the legacy value of Flash and improve their reputation. Presumably all the direct-revenue-producing Adobe authoring tools now emit HTML5 WebGL and H.264 as readily as SWF, so Adobe will get by just fine. |
Starlight 34 Posts |
| Quote |
Feb 4th 2015 7 years ago |
|
=) re keeping flash enabled for intranet - again if majority of users are on IE and hopefully for non admin interface cisco tools, could deploy an out-of date active-x blocklist marking flash 25.0.0.0 safe [effectively whitelisting nothing for the internet zone in IE for a while]. Then custom zone settings via local lan or trusted sites(after carefully review what you actually have there and other settings there) (maybe adobe can release something remotely useful in admin mgmt)
|
Mallory Bobalice 28 Posts |
| Quote |
Feb 4th 2015 7 years ago |
|
Adobe Security Bulletin https://helpx.adobe.com/security/products/flash-player/apsa15-02.html has been updated to show that "Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4". Additional support to follow...
|
Mallory Bobalice 1 Posts |
| Quote |
Feb 4th 2015 7 years ago |
|
"UPDATE (February 4): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11."
https://blogs.adobe.com/psirt/?p=1171 |
FTWMike 24 Posts |
| Quote |
Feb 5th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
