February 4, 2014

Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.

The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.

flash12-0-0-43

The Flash update brings the media player to version 12.0.0.44 for a majority of users on Windows and Mac OS X. This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 12.0.0.44. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 32.0.1700.107 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe did not include many details in its advisory about the nature of the attack that prompted this update, other than to credit two researchers from Kaspersky Lab for reporting the vulnerability. As such, this flaw may be related to this Feb. 3 blog post by Kaspersky, which references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky has dubbed “The Mask”; the security firm says it plans to release more details about this campaign at its analyst summit next week.


49 thoughts on “Adobe Pushes Fix for Flash Zero-Day Attack

      1. JimV

        That link worked for me (both before and now), so it doesn’t seem to be anything on Adobe’s part — are you running Firefox and NoScript by chance? If so, it may be that you’ve got the Typekit scripting blocked, and since that’s an Adobe product the webpage may require it to function with a proper display. If that’s not the issue and you still can’t get to that webpage, here are the direct download links to the .EXE files which it provides:

        AX – http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_12_active_x.exe

        non-AX – http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_12_plugin.exe

        1. SFdude

          Yep, you are right Jim.
          The noScript FF addon
          was blocking Typekit…

          d/l works ok now f/”distribution3.html” page.

          *** Thanks Jim! ***

  1. Tim

    Once up on a time I used to defend Adobe when people complained about all their security vulnerabilities, on the grounds that at least they were addressing them, instead of brushing them under the carpet. However, years on and it really is pretty unacceptable that there are continuous Adobe security vulnerabilities pretty much every single month and it makes you question whether Adobe products will ever be anywhere near to becoming secure. Adobe really do seem like a liability and it makes you question their integrity and capability as a company.

    1. Scott

      Especially when every new update is a new opportunity for them to earn revenue by foisting crapware on the user via the deceptive Install screen.

      1. george

        Never assume evil intentions when it could be just sheer incompetence…

          1. JimV

            I’ve thought for quite some time that Adobe => “mind of a brick”, and Oracle => “blindsided by the light”….

            1. Robert.Walter

              Steeler’s Wheel might have sung it:

              “Flash to the left of me,
              Java to the right,
              here I am,
              stuck doing updates again!”

      2. John Nicholson

        Ain’t that the truth? I’ve learned to pay particular attention to all updates from any company but I pity the poor, inexperienced user who either fails to read or notice what is automatically checked for him to install or hasn’t a clue as to what it all means—until he finds himself with a cluttered machine and new toolbars, browsers, etc. You would think a “reputable” company like Adobe wouldn’t try to trick/scam people like that.

    2. jdmurray

      Tim, I feel exactly the same way about Microsoft and their products.

    3. Mat2

      Well, please name a software that is widely used, actively developed and has some attack surface that does not receive regular security updates.

  2. Chris

    Does anyone know how to download a Flash update on Vista without the toolbar checkbox? I know how to uncheck the checkbox to dodge the toolbar, but I have no way of explaining this to my parents, who need to update their system, and they are on the other side of the country from me. I’m trying to avoid having to do a LogMeIn session just to update Flash for them. The toolbar dodge is a real problem for people without much computer experience.

    1. jayson

      You could tell them to download Flash Player updates using these two URLs:

      http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe (Internet Explorer)
      http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe (Other browsers)

      But in fact you actually don’t have to tell them anything if you simply activate the auto-update feature. It works really well and silent. And it’s very fast too. Most times not later than one day after the announcement.
      For example here on my machine it just updated to 12.0.0.44 in the background one hour ago. I only noticed it because I had Process Explorer open and saw it creating new processes for the installation. I really recommend it.

    2. Robin Zalek

      I use a command line script that grabs the addon-free installers (and also the uninstaller and standalone version) and installs them. Needs cURL [http://curl.haxx.se/] and Hidden Start [http://www.ntwind.com/software/hstart.html]

      Pay special attention to the rather hacky method I’ve had to use to test for elevated permissions (the script will reload itself elevated if needed). I’d love a cleaner method.

      Save http://bteo.jellystyle.com/updateflash.txt to their drive somewhere with the .cmd extension. Tell them to run it when an upgrade is needed, or you may be able to set it as a scheduled task. As with all random scripts posted to the internet you should probably be sure you understand how it works before you run it.

      NOTE: The URLs have changed in the past. I cannot guarantee perfect forward compatibility.

  3. TheOreganoRouter.onion

    This Adobe Flash patch and then Patch Tuesday next week, good grief !

  4. TheOreganoRouter.onion

    By the way, for all you internet security fans out there, Firefox 27 was released today. Not much of of a update other then the Transport Layer Security (TLS) version 1.2 has been added to both desktop and mobile versions of the new browser .

  5. dpeters11

    Extremely minor, but you have an extra 0 in the Chrome build. It’s 32.0.1700.107

  6. Debi

    I have tried to update my Flash Player but it says that I do not need to. I have version 12,0,0,38 installed, yet it says that the new version is 12.0.0.44. I have Windows 8.1.

    Should I worry?

    Thanks!

    1. SeymourB

      I would download the standalone (MSI) installers and try installing them by hand.

      Adobe’s systems can intentionally prevent people from updating on day 1 so Adobe’s servers don’t get deluged with too many requests.

      By downloading and running the installers by hand (they’re linked in other comments, and I’m under contract so I can’t link to them) you’re avoiding Adobe’s incompetent auto-update system.

    2. Old School

      Even stranger, when I went to check the Flash version this morning, the Flash auto-update function had already updated both IE and Firefox. I am shocked! Chrome is also updated.

  7. Anita Endeman

    Thank you so much for this valuable update.
    Anita

  8. JCitizen

    Thanks to Brian, we got our zero day fix! None of my updater alert tools worked; not really shocked though. I was surprised Google Chrome downloaded the right version to cover this hole. Sometimes these applications act like they are in denial.

    Some folks visiting here might not know, they have to use the proper browser to test the installation. Adobe will open your default browser to run the test page, and that may actually be for the Active X version instead of the plugin – so make sure your testing the right browser/plugin/extension/version match-up.

  9. andy1

    curious what the “priority rating” value means in that versions table. I notice Linux is “3” in contrast to the “1” for Win and Mac

    1. Scott

      It means there is the most immediate danger to Windows targets and they need to be dealt with as quickly as possible, while Linux targets are less impacted and can wait.

  10. Tony

    I don’t think I’ve seen this method of Flashplayer updating listed here. I use Firefox w/NoScript to do this. Other browsers may behave differently. It usually saves time, because it only requires copying a folder to the desktop and running two EXE files.

    I go through the steps twice, to get both the Internet Explorer and Other Browser versions.

    1) Visit http://get.adobe.com/flashplayer/otherversions/
    2) Choose your OS and Flashplayer version.
    3) Uncheck the Optional Offer checkbox.
    4) Click the Download button.
    5) Save the file. I put mine in a subfolder of Downloads, called AdobeFlash. My Firefox is set to prompt me for the location for downloads.
    6) Repeat steps 1-5 for the other browser version.

    Now here’s the best part. Those EXE files you just downloaded seem to be installer stubs. Save them and reuse them. They usually seem to stay valid for several months (next major version?).

    7) Open your Downloads folder.
    8) Drag a COPY of your saved folder to the Desktop. I used AdobeFlash as the folder name in the example, above. In Windows, drag while holding down the CTRL key to copy the folder. Or use Copy and Paste, if you like.
    9) Open the folder.
    10) Double-click one of the EXE files. After it downloads and runs the update, IT SELF-DELETES. This is why you must work with a copy. Talk about viral behavior!
    11) When the install finishes, it opens your default browser to verify the install works. Close it. The installer will whine if the browser is open when you try to install that browser’s version of Flashplayer.
    11) Repeat Step 10 for the other EXE.
    12) The next time you are prompted to install, cancel it and start at step 7.

    The steps 7-11 could be automated.

    Eventually, Adobe changes things and the downloader stubs fails. That’s when you start over at Step 1.

  11. Jim C

    I believe Google Chrome automatically finds and installs the updated version.

  12. Chris Thomas

    Don’t rely on the Adobe Flash automatic updates.

  13. Old School

    YouTube provides the capability to use HTML5 instead of Flash.
    “Many YouTube videos will play using HTML5 in supported browsers. You can request that the HTML5 player be used when possible.”
    http://www.youtube.com/html5

    1. Vee

      Yeah, it’s a damn shame Youtube hasn’t gone entirely HTML5- I’d swear they are being swayed by Adobe.

      But, the way Google has been forcing that Google+ crap on people, among other things, I’m getting kind of tired of Youtube (and Google as well). I hope someone steps up and makes a sane alternative video site.

  14. Keith Gardner

    A CNet Safari browser window just refused to play a video for me, saying “Flash out-of-date.” I followed the link to the download page, but it says the current version is 12.0.0.44, and that I have 12.0.0.44 and don’t need to update. What are we to make of that?

  15. Chris Thomas

    Google Chrome has got its act together. Very prompt update of Flash.

  16. Likes2LOL

    The automated Adobe Flash updater notifications box reads, “… this update will be installed on your system automatically within 30 days or you can choose to download it now.”

    So much for Adobe’s sense of urgency…

    Steve Jobs had it right. 😉

  17. JATNy

    Well, I feel justified now on my earlier posts about how an earlier Flash version allowed something to try to completely take over my computer a few months back. Adobe was absolutely no help then. If this exploit is “previously unknown,” then it was because Adobe wasn’t listening to its users. I had to completely take down the Flash 11 version that I had, and I refused to put it back until a later version was available. Finally version 12 was put up, but I went without internet video, online banking, and some other capabilities for a couple of months. A small price to pay. The bright side is that I got to know this blog and the Krebs community. And now I take control of my own security software and make sure all available fixes, patches, updates etc are used. My thanks to Brian and all the internet warriors here.

  18. Anders

    I grew tired of this gear and simply uninstalled it, including Adobe Air which – for reasons unknown – was installed as well.

    Meeting tomorrow with higher executives, trying to convince them to remove Java and Adobe products from our production environment and replace it with other products if needed or use in-house developed software as a replacement.

    Pray that they will listen to me.

    1. Vee

      Godspeed! Most workplaces don’t care about security as long as it just simply “works”. You know, the whole “Ohhh, I don’t think we need to do that…” Only after they’re hit do they step it up.

  19. John Tallsmith

    I installed 2 * flashplayer12_0r0_44 on Windows 7 today and did not get the choice of choosing manual updates, my preference but under Windows XP the choice is still there.

    http://get.adobe.com/flashplayer/otherversions/
    is a good place to download flash by manual download.
    The latest version is always there. The download is bigger but it’s better if you want to download once and then use it to update several PCs.

    1. JimV

      You should be able to toggle “do not check for updates” (and thus impose a manual requirement) in the Control Panel Flash applet’s Advanced tab. I’m using Win7 x64 on this particular machine, and I was presented with the option when installing both of the latest updates (AX and non-AX flavors) — not sure why it was not presented to you unless that option in Control Panel was already set to “always check for updates” (its default).

      The best direct link to the entire list of manual download options is posted at the top of the comments, and Brian later made the link in his article active which points to the same URL.

      1. JimV

        Should also have asked if you had actually uninstalled Flash before installing the new version, or simply installed over the older version — many (including Brian) recommend uninstalling first rather than an in-place upgrade over the existing version. Although the Flash updater *may* (but may not) completely uninstall the older version, it will likely recognize any default setting in that existing installation which allows checking for updates and act as if the upgrade process is automatic, thus it won’t issue a user query but simply retain that default setting.

  20. W Sanders

    How hard could it be, if you are a state sponsoring espionage, to open up an HVAC, electrical, or some other kind of contracting firm, and use it to gain physical access to all kinds of sensitive facilities? Perfect cover, gives your agents gainful employment in the meantime. Do Level 3, AT&T, etc, background check their individual contractors? I know some entities that do, but a lot that don’t, also.

    1. Vee

      I’d think it’d be more likely to have someone already in such a position go rogue from the temptations of personal gain and later find and hook up with others. Security is always about trust.

      Much in the same way I don’t actually think of Snowden as a saint but as someone who was just in a position.

Comments are closed.