November 25, 2014

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14


37 thoughts on “Adobe Pushes Critical Flash Patch

  1. Robert

    The flash download from the link is still 15.0.0.223, even though it says 15.0.0.239. MD5’s are identical to the copies I have of 15.0.0.223, and when installed, says it is 15.0.0.223.

    Not Brian’s fault, but Adobe’s. Hopefully they’ll fix that quickly.

      1. Shadeyone

        Is that for the frontpage? The OS specific one we use for downloads is still serving up .223

    1. BaliRob

      I agree – thanks for that I would have sat here all day otherwise

    2. Robert

      I can confirm Adobe has fixed the problem. The link will now give you the correct version.

  2. Alex Blackwell

    If you download from the Flash homepage (uncheck McAfee if you don’t want it), you’ll get version 15.0.0.239.

  3. Eric

    Hmmph. Uninstall flash sounds like a better option at this point.

  4. user@adobe

    @Alex Blackwell, “good” idea and then go over few hundred desktops and laptops located in few different countries to manually install it. Why should Adobe make the IT department’s all around the globe life easy … after all they aren’t making any money of us.

    I’m with Eric but unfortunately it’s not my decision 🙁

  5. Mik

    Strange, from distribution3 page I got .418 on some machines (7241108 bytes) and .424 on others (7241264).

    They were consistently the same, but .424 received only by from another subnet under same isp.

  6. Jim J

    Does this mean an update for PPAPI Flash on Chrome is necessary or just normal Flash (which I don’t have)?

    Thanks

    1. Tim A

      “IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.”

    1. Informer

      False alarm. It is now back. I was concerned the update was pulled.

  7. Likes2LOL

    Has anybody noticed that the login sequence on eBay invokes the MS Silverlight plug-in? And, remember the (I think it was) the 2008 Olympics in China, when NBC.com did all their videos in Silverlight? Can we drop Flash and, and switch to Silverlight?

    I’m not an expert on these plug-ins, just wondering if that’s a possibility… Silverlight certainly seems more stable, and that’s from a guy who regularly bashes Microsoft’s competence! 😉

    1. Tim A

      Silverlight isn’t supported on as many platforms as Flash, and it’s had its share of security updates too. They just don’t stand out as much because they tend to get lost in the crowds of updates Microsoft releases.

      HTML5 is slowly taking over, so both Flash and Sliverlight are actually on their way out.

      1. Carsten Hansen

        The number of Silverlight security issues is miniscule compared to the number of Flash exploits. Give me a real life example where someone got hacked because they used Silverlight.

        1. BrianKrebs Post author

          Carsten, there are plenty of documented cases where exploits kits or other widely used tools have bundled Silverlight vulnerabilities. Just for the fact that there are >100 million Netflix users alone makes it a nice target for the bad guys.

          1. Carsten Hansen

            I was asking for real life attacks that got through the front door because of Silverlight. I’m not aware of any. After you get through the front door if you are able to get to another room by using a Silverlight vulnerability is of lesser concern to me.
            Brian why don’t you post the number of Flash vulnerabilities vs number of Silverlight vulnerabilities. I’m willing to bet that it is more than 10 to 1.

            1. Jim J

              Unfortunately it doesn’t matter whether SilverLight is more secure because for the small number of websites that make use of it the increase in attack surface isn’t worth it. Just my two cents.

            2. SeymourB

              Just because you’re not aware of Silverlight vulnerabilities doesn’t mean they don’t exist.

              Silverlight gets updates the same as Flash does, and if not for security updates why do you think they have updates? It’s not for new features – HTML5 is going to inevitably kill both Flash & Silverlight for all but the most extreme corner cases.

              If anything Silverlight is a more inscrutable black box than Flash, because it’s extremely limited use means fewer miscreants are looking at it for exploits. The exploits that are found are patched, same as anything decent out there, but it’d be foolish to assume there aren’t more exploits lurking in Silverlight. Or that the patching cycle wouldn’t kick into high gear if the world switched over to it. It’s a Microsoft product, after all.

              1. Carsten Hansen

                How many times has Microsoft released an emergency patch for Silverlight? How many times has Adobe, like here, released an emergency patch for Flash? Just look at the headlines here at krebsonsecurity. I don’t recall ever seeing Brian urging people to update Silverlight because there was an active attack.

            3. mechBgon

              Here are a couple results from a search for “Silverlight exploit payload:”

              From Microsoft’s own site: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:JS/Axpergle#tab=2

              From MalwareBytes:
              https://blog.malwarebytes.org/exploits-2/2014/05/malvertising-campaign-on-popular-site-leads-to-silverlight-exploit-zeus-trojan/

              The payloads mentioned here are dangerous stuff, banking Trojans to be precise. I acknowledge your main point, which is that Silverlight’s track record looks much better than Flash Player’s. But in either case, I would prefer to switch them off by default, and enable them when needed. Turning on click-to-play and/or ActiveX Filtering is a good proactive move IMO.

  8. Some guy

    Google finally got off their ass and pushed a Chrome update (as of ~15 minutes ago) containing the patch. That took long enough.

    1. Tim A

      They have yet to update the dev channel of Chrome (because I like my browser to act funky sometimes. heh). It’s still on Flash v15.0.0.223.

  9. Jim J

    HTML5 at 100% can’t come fast enough for me. Flash is an unmitigated disaster.

    1. Robert.Walter

      I was thinking the same.

      But I do wonder what problems html5 will bring with it.

  10. 15.0.0.239

    Installed no problems for use with Firefox 33.1. Also the Firefox Developer Edition is doing almost daily updates now and that’s how I found out about this flash update patch.

  11. spike

    “Installed no problems for use”

    Except it’s proprietary so you don’t really know what it’s capable of.

  12. BaliRob

    Do we really need Shockwave – it has crashed on Mozilla four times this past week?

  13. CJ

    My Chrome won’t update.
    “Update failed (error: 7)An error occurred while checking for updates: Egads! Installation failed. Please try again. Error code = 0x00000000.”

    1. JD

      You may want to uninstall and reinstall chrome.
      Make sure your bookmarks ate synced with your Google account first: settings> advanced sync settings
      Or
      export your bookmarks:
      Options> bookmarks> bookmark manager>organize>export bookmarks to HTML file

  14. Yves Lepage

    When I see this, I get the same feeling I get when it’s time to pay taxes: again, and no there’s nothing I can do.

    Adobe has been pushing critical security patches for its flash player software for 10 years now. You’d think they would have learned how to build secure application. Seems not.

  15. patti

    So I’m always confused on how these things affect us linux users…

  16. Deployment Peon

    ARRRG!! We (I) JUST finished updating a new image that will get used on dozens of machines. The wait was based on waiting long enough to catch November’s Patch Tuesday. In the meantime, we had how many FireFox updates all within three weeks?? Plenty! Thankfully, we weren’t able to put it out just yet but for two machines as field testors. I can update the image again, but at this rate, I might as well wait for December’s PT releases. Another FF update is sure to come over the long weekend (US Holiday).

Comments are closed.