February 5, 2015

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. Google Chrome version 40.0.2214.111 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

As I noted in a previous Flash post, short of removing Flash altogether — which may be impractical for some users — there are intermediate solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

My favorite in-between approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit(EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.


75 thoughts on “Yet Another Flash Patch Fixes Zero-Day Flaw

  1. JimV

    FYI, updates for Adobe AIR (to v16.0.0.273) and Shockwave Player (to v12.1.7.157) were released today.

  2. Bobbi

    I don’t like Adobe Flash Player 16.0.0.305 because it has all kinds of bugs in it that messes with other programs that I use on my computer. I go to college full time and this flashplayer will seriously interrupt my college work. I cannot risk that, but yet, if you want to play a radio station, like, Delilah.com on i heart radio, you are FORCED to use this program. Why is that? Isn’t there another option? Why aren’t we given that option? Why are we FORCED to take a crappy program and use it?

Comments are closed.