January 27, 2015

For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

brokenflash-aLast week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).


47 thoughts on “Yet Another Emergency Flash Player Patch

  1. Likes2LOL

    If the Internet is ever hacked badly enough to kill the electric grid, I bet it’ll be due to a Flash exploit! 😉

    Thanks for the timely update info, Brian.

    1. JimV

      If not Flash, then Java would be the next likely candidate.

  2. Jonathan E. Jaffe

    How many exploits are ENABLED by the “emergency” nature of patches that are (apparently) not tested enough to see they fix the problem in the first place?

    Jonathan @nc3mobi

    1. EstherD

      Answer: Not many.

      Very few security patches introduce a completely new security hole. (I cannot think of an example. Can you provide one?)

      At worst, poorly-engineered (or rushed) patches leave the pre-existing security hole incompletely resolved, such that the original exploit still works, albeit (in most cases) only on a select subset of the hosts that were vulnerable to the original exploit, and typically only after the exploit is re-tooled to work around whatever mitigations were included in the patch.

      Failure to patch COMPLETELY doesn’t “enable” anything, especially since the attackers still have to do a bit of work to circumvent the patch; whereas failure to produce a patch QUICKLY certainly *can* enable malicious activity, especially if there is already a known exploit in the wild.

  3. mechBgon

    Still watching for this one to show up at Microsoft Update, since that’s how it’s distributed for the IE flavor on Win8.x. This is the first time I’ve noticed that mechanism lagging Adobe’s own releases.

  4. Columbus_viaLA

    Ever since this recent flurry of Flash updates began–@3 weeks ago–YouTube videos will not play on my fully-updated Firefox browser from any YouTube page. They do play if embedded in any other page. Also, they play in all cases on IE11. I have tried almost every fix and workaround (except *one*) that I could find online. None worked. I am close to *resetting* Firefox, which is a PITA with no guarantee of fixing the YouTube problem. Of course, Firefox has updated 2-3 time recently, too. Anyone else have this issue? Could all the recent Flash updates be the cause or a contributory factor?

    1. JCitizen

      My FireFox v. 35.0.1 is playing flash okay, but it does act flaky most of the time. The window goes dark until things load, then it comes back running well. Every time their is a major transition of a plugin, it does that same thing. I’d say FF is having plugin compatibility issues, but my opinion could easily be wrong, as I have a pretty tight blended security defense, and it could just be that FF barely operates within those parameters. I don’t have IE-11, so I can’t comment on that.

    2. Ed Foster

      Flash works more or less on Firefox. I regularly get messages that it has stopped working. It gives me the choice of fixing the script. Yeah, right! I stop the script and Firefox starts working again.

      This has been going on for three or four weeks. I hoped the new Flash or Firefox versions would fix the problem, but not so far. I always submit a crash report to Firefox. That hasn’t helped.

      1. Columbus_viaLA

        Just to be clear (also to JCitizen), it is not Flash that will not function on my Firefox of late. Flash works, with one exception: Flash-driven YouTube videos will not play from any YouTube page. However, they will play if embedded on a non-YouTube page. So it’s a YouTube thing, primarily. I cannot yet tell if Flash is at fault to any degree.

        Alas, it looks like my only remaining option is a Firefox reset.

        1. SeymourB

          Instead of resetting your profile, why not just create a new one and see if the problem is resolved in it? Otherwise you could end up resetting your profile for no gain. Worst case the new profile still has the same problem and you know a reset won’t cure it. Best case the new profile cures the problem so you know a reset will cure it. It’s a win/win in my book.

          I do wish Firefox profiles weren’t so damn fragile though. Seems like every few versions I have to reset a profile for no good reason other than that Firefox barfed while “upgrading” the profile for the new version. Good jorb, Mozilla.

          1. Columbus_viaLA

            Thanks for weighing in. If I recall a Firefox “reset,” correctly, it does not require a total reset of your profile, only a reset of the browser to its “pristine” condition. That means the browser as it would be newly-downloaded and installed: no plug-ins, extensions, “appearances” or add-ons. Once reset, you restore those at will. However, the reset retains all bookmarks. So by those parameters, it is not a total “profile” reset.

          1. Columbus_viaLA

            Thanks, Joe. It looks like the workaround is: Disable Flashblock, then open the desired YouTube page. The video starts immediately this way.

            Should not be necessary, but it works. I just have to remember to re-enable Flashblock later.

    3. A

      I do have this issue but am lazy and figure nothing on Youtube is really worth it, so I haven’t tried to fix it, but it is frustrating why it suddenly has problems.

    4. Twin Mustang Ranch Dressing

      I have Firefox 35.0.1 on Windows XP SP3 with Flash Player …296 and have set Firefox to ask me to activate the Flash Player plugin and I have no problems with YouTube.com.

  5. Carlos Almeida

    thank you Krebs 🙂
    means a lot having some all ways there for us 🙂
    all the best for your great work

  6. grayslady

    Either Adobe is running scared with all the holes in Flash, or someone at the company is finally taking Automatic Update seriously. Immediately after reading this article, I checked Control Panel and found that the updates were already in place. This happened last week, as well. In my XP days, Krebs was days ahead of any Adobe “automatic update”. Maybe I’m one of only 1000 people still occasionally using Flash, so it’s easier for Adobe to put through timely Automatic Updates. Who knows?

    1. Jon Marcus

      Strongly suspect is Adobe running scared. Their original out-of-band patch didn’t address this. They had a known issue with exploits in the wild. That should be enough to scare any company.

    2. Mike

      If you read the comments from the last article about Flash, there were some folks (not me) who caught this update over the weekend when it came out. (In that thread, I only joked about it like it was some kind of fashion statement.)

      Sure, ok, so Brian is a couple days behind, just like you and me. This patch came out sometime over the weekend. What I’m getting at isn’t Brian, but that over the past few months, we’ve seen TONS of updates. There’s so much work being done to patch holes that they must not have the manpower to rebuild a tighter flash from the ground, up. Firefox is the same. The race between developers and those who put their software skills to nefarious use has heated up over the past 3 months.

  7. Angus S-F

    FWIW I just keep Flash for Firefox and the Iron Browser (Chrome without Google), I don’t have the ActiveX Flash installed. And I rarely use IE.

  8. Jurupa

    I see they (Adobe) finally got around to updating their download page. Well I only checked for the Windows entry. But it took them 2 extra days to get that up there and the Chrome part wasn’t working yesterday. Got the 296 for Windows and 440 for Linux on 1/25 from the Distribution page, Let me try the Chrome now, thanks..

  9. JCitizen

    I already had 16.0.0.296 which auto-updated the last KOS article. Chrome was completed then also. Security Garden is repeating this story too. I imagine this is causing confusion for some people, who might think this is another update beyond 296.

      1. JCitizen

        I saw an article on MajorGeeks that Adobe is pulling their support for other sites, and to stop hosting their update files. Looks like they’re also getting testy now.

  10. Jason R

    So much going on, this is hard to keep track of. Since 16.0.0.296 was released January 24, I am not sure what how/what is addressed with this January 27 bulletin as it calls to upgrade to the same version.

    Release date: January 22, 2015
    Last updated: January 24, 2015
    Vulnerability identifier: APSA15-01
    CVE-2015-0311
    Update to: was 16.0.0.287, now 16.0.0.296
    http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

    Release date: January 27, 2015
    Vulnerability identifier: APSB15-03
    CVE-2015-0311, CVE-2015-0312
    Update to: 16.0.0.296
    http://helpx.adobe.com/security/products/flash-player/apsb15-03.html

    Last week:
    Release date: January 22, 2015
    Vulnerability identifier: APSB15-02
    CVE number: CVE-2015-0310
    Update to: 16.0.0.287
    http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

    WSUS received KB3035034 for Windows Server 2012 R2 and Windows 8.x which specifically mentions APSB15-03:
    http://support.microsoft.com/kb/3035034
    https://technet.microsoft.com/library/security/2755801

  11. ActiveX

    It is largely because of Flash that I use ActiveX filtering in Internet Explorer.

    (Cog menu \ Safety \ ActiveX Filtering)

    It can be enabled or disabled for particular sites, so if you trust a site, you don’t need to be bugged by it repeatedly.

    It does cause some issues with some sites, but only until it’s turned off for that site.

  12. Dan

    This is getting old. Adobe needs to stop trying to patch their ‘spagetti code’ but I doubt it since HTML5 is still in partial phase adoption. Usually, when you try to patch one area, another area of the code gets broken. As a manager of dev of a major retail product, we had to rewrite the code for one of our products as patching only caused further unexpected problems somewhere else in the code.

    To lock down Windows 7 in ultimate and enterprize editions to mitigate damage against malware use Emet 5.1 and also use AppLocker

    http://community.spiceworks.com/how_to/show/59664-free-almost-perfect-malware-protection-with-gpo-app-locker

    https://www.youtube.com/watch?v=ab5IGQr70-g

    1. SeymourB

      Beta version of Firefox? What, like a beta from 2 years ago?

      Seriously, Firefox has had HTML5 support for YouTube’s HTML5 player for ages. There are other HTML5 video sites that do weird browser version/plugin checking that don’t always work properly.

      In those cases they rarely have anything to do with Firefox’s support for HTML5 video and more to do with horribly written server-side code that tries to special-case every browser under the sun and fails on combinations they didn’t include. “Oh you have the Flash plugin present but not enabled? Too bad we’re not going to give you HTML5 video.” If you’re using a browser they didn’t include they often fall back to using Flash, which is just wonderful if you don’t have Flash installed.

      Grumble. Grumble. Grumble.

  13. Phoenix

    The most annoying part of these “improvements” is adding the new version into EMET. I don’t know why they have to include the version in the file name.

  14. mike

    What is the mechanism for getting exploited via flash?
    Do you have to go to a shady website and watch some sort of video? I would think youtube would be able to filter out any malware infected videos when they are uploaded. I hope that if you steer clear of the darker corners of the web you would be ok. What exactly does it enable the attacker to do?

    1. EstherD

      Get a Flash-blocker add-on for Firefox (or set the Flash plug-in to be “click-to-activate” in Firefox or Chrome). Then browse the ‘net as you usually do for a few days. You’ll be surprised (amazed?) to see how many garden-variety (i.e. non-YouTube or Vimeo) websites use Flash to deliver some kind of content or another, typically a front-page video, a scrolling image gallery or a fancy navigation menu. Third-party ads are often delivered as Flash, too.

      So the short answer is: LOTS of websites use Flash, either directly (for content) or indirectly (for ads). And anytime you visit such a site, knowingly or not, you risk getting an exploit delivered thereby.

      If said exploit can break out of the browser sandbox in which Flash typically runs these days, then said exploit can do ANYTHING that YOU could do on your machine, including deleting files, installing (malware) programs, etc. Especially if you are a typical (naive) Windows or Mac user and always run with full Administrator privileges.

  15. ron eccles

    Zero Day will not affect me. Flash Player does not stay installed long enough in Opera. I have a fresh copy every day. Either Flash or Opera need to get their act together. Or we need another make of Flash Player.

  16. nsh1960

    In my situation, on Windows Vista SP2 Firefox 35.0.1,
    Adobe Flash Player 16.0.0.296 does not work.
    Blackout Window/Tabs or whiteout ones apear and that’s all.
    no anime, no sound, no otameshi-litenovel extract.
    othermore, loading pages very slow.
    Perhaps something must be wrong.

    vulnerble 16.0.0.287 works.
    I had uninstalled 16.0.0.296 then installed 16.0.0.287.
    though altert for old plugin appears, after allow them, Flash player work somehow well.

    On the other hand, YouTube site works with no problem.

  17. mica

    Not to worry about Adobe’s Flash – as I’m sure Adobe’s programmers will be hansomely rewarded for the expedient manner in which they are handling critical issues. It’s simple trickle down economics as plain as mud.

    (NASDAQ:ADBE) CEO Shantanu Narayen is paid an annual salary of $875,000 for his role as chief executive.
    http://en.wikipedia.org/wiki/Shantanu_Narayen#cite_note-businessweek-5

    (NASDAQ:ADBE) CEO Shantanu Narayen SOLD 100,000 shares of the company’s stock on the open market in a transaction dated Monday, January 26th. The stock was sold at an average price of $72.39, for a total transaction of $7,239,000.00. (SEC filing)

    (NASDAQ:ADBE) CEO Shantanu Narayen SOLD 36,762 shares of the company’s stock on the open market in a transaction dated Monday, February 2nd. The shares were sold at an average price of $69.89, for a total transaction of $2,569,296.18. (SEC filing)

    Not too bad – making over eleven times one’s yearly salary in one week – eh?

  18. HStark

    I apologize ahead of time if I am commenting in the wrong place, but I am at the point of desperation and seeking advice wherever I can find it. I am a teacher and I use Smart Notebook for interactive classroom resources that I then upload and sell from a teacher’s website (www.teacherspayteachers.com). The interactive components require Adobe Flash to run and all of my files are now marked with “swf.exploit.cve _2014_ 0581” and the site will not permit upload. I have done everything I know to do (scans of laptop, latest versions of flash/IE, old adobe files uninstalled/removed, using different computers/browers to upload files, zipping files, etc.) and I cannot seem to kick this vulnerability! Likewise I cannot find a reliable way to contact adobe for help (their help site is a maze of links back to virtually the same FAQs). Any ideas would be greatly appreciated!

    1. JimV

      You didn’t mention which of the many malware scanning tools you used to try and remove the infection — I utilize several on a weekly basis in full manual scans while running two which are mutually compatible as full-time resident protection.

      Was AdwCleaner among the ones you used? If not, download it from the following link and then run it to see whether it finds the root source of what would seem to be a deep-seated infection. However, if you’ve switched to different computers and browsers before that are all on the same local network and the infection has remained, then it may have propagated itself across your network. If so, you’ll need to disconnect each machine from the network, run the scanning tool(s) on each independently to remove every local infection before re-establishing their networked linkage.

      https://toolslib.net/downloads/viewdownload/1-adwcleaner/

  19. mica

    Adobe began rolling out Flash Player 16.0.0.305 on Wednesday for users who have auto-update enabled.

    The version includes a fix for the recently reported critical zero-day vulnerability – CVE-2015-0313 – that affects Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh, as well as Flash Player 13.0.0.264 and earlier 13.x versions.

    “Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” according to an update added on Wednesday to the Feb. 2 advisory.

    http://www.scmagazine.com/adobe-rolling-out-new-flash-player-version-includes-fix-for-latest-zero-day-bug/article/396491/

Comments are closed.