October 20, 2015

Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software. Separately, Oracle today released an update to plug more than two-dozen flaws in its Java software. Both programs plug directly into the browser and are highly targeted by malicious software and malefactors. Although Flash and Java are both widely installed, most users could probably ditch each program with little to no inconvenience or regret.

brokenflash-aThe latest Flash version, Flash 19.0.0.226 on Windows and Mac, fixes a flaw that Adobe warned last week was already being exploited in active attacks. As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

JAVA

Separately, Oracle has released its quarterly patch update for Java, another powerful browser plugin that also is heavily targeted by malware and ne’er-do-wells. This update for Java — which brings the program to Java 8 Update 65 — fixes at least 25 security vulnerabilities. According to Oracle, all but one of those flaws may be remotely exploitable without authentication, meaning they can be exploited over a network without the need for a username and password.

javamessIf you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.


22 thoughts on “Flash, Java Patches Fix Critical Holes

  1. JCitizen

    Email must be going crazy – I swore I got this article already! ?

    1. B. Moore

      I swore I got this post by rss already too. Looks like this was original posted on the 15 and for some unknown reason Brian re-posted it again today.

  2. a

    Brian, the direct link to download Flash is missing. Fortunately, it’s in my history because I go there so often.

  3. Hayton

    The Oct 15 date on this post is very misleading. There was indeed a post from Brian on that date about a Flash update but that was said to be for version 19.0.0.207 not 226. However, I’ve had 226 installed for some days now. Maybe Brian just overlooked the 226 release when it happened.

    1. Matt

      The dates on the headers are confusing. It is 20, October, 2015. I see the same thing all the time – no matter how often I come here I get confused by the date format.

      Regarding the Flash versions:
      19.0.0.207 released on October 13, 2015
      19.0.0.226 released on October 16, 2015

      1. BrianKrebs Post author

        The big number is the day. Also, there is a date and time stamp at the end of every story.

        1. Joey Jojo Junior Shabadoo

          I come here at least twice weekly.

          The date formats confuse me.

          Every. Single. Time.

          I have no qualms with DAY MONTH YEAR. In fact, I prefer it.

          Yet, the way these are displayed on this site confuses me.

          Every. Single. Time.

          A simple solution, IMO, would be to adopt Y2K-compliant 4-digit years. It is the right thing to do.

  4. Nikon1

    It’s October 21, 2015 – Back To The Future Day.

    I’m sure Brian has tied this post into that day – Just too bad that both Flash and Java are still around and so prevalent!

  5. Phil

    I too, am constantly confused by the dates / numbers at the tops of all the posts. I mean, I know it’s not rocket surgery, but why not just use a simple date at the top, not at the end. Oct. 20, 2015. Boom simple.

  6. jim

    Not sure, off topic, but did everyone look at the /. Article on the new c-cards. ( sslashdot.org/story/301477) the last link has the PDF on research by french on easiest break on the newest cards. Surprised its not in the wild here.

    1. BrianKrebs Post author

      Jim,

      Read the paper you speak of. The researchers said the method they described is no longer viable due to changes the card associations have made. Also, the paper looked at an incident that happened back in 2011.

      1. Jim

        Early proof of concept. I’m sure that the tradeoff of one style to another helped. But goes to my point that separate systems may work just as well. But all the eggs in one basket does not make good security. There are weak spots in all systems. and theirs was an early adopter, one system, early and was cracked by brute force. Just as swiping carbon papers was the early way for swipe cards. Whats on the horizon?

  7. Marma Lade

    It’s strange that a journalist would recommend that users remove Flash from PCs when many news videos require it.

    1. Stratocaster

      Without the 800-pound gorillas of iPhone/iPad, news videos will be dragged kicking and screaming to other platforms or die.

      1. Marma Lade

        If that were true, BBC News would have adopted an Apple-friendly video format in its recent website revamp. Or could it be that Apple users do not watch news videos, only YouTube videos?

  8. Dismayed

    I enabled Click-to-Play this afternoon and then decided to quit stalling and put a freeze on my credit reports, which I’d been putting off because in my heart I knew it would not be simple.

    And at the end of the first one I tried–Equifax–the must-have confirmation document came up blank: no Adobe Print button I was told I had to use, no PIN number or whatever ID I’d need to access the main site, and no tech support number because I have to have the info on the blank document to get to the Customer Support line! *weeps*

    Does that sound it might have been a Click-To-Play issue? I had sense enough to take a screenshot of the page, but didn’t go high enough in the browser to catch the browser line.

  9. Dismayed (reporting back)

    Happy to report that after 90 minutes of feeling very, VERY bad about the Catch 22 I was in, I figured out it wasn’t a Click-to-Play issue, it was #Equifaxfail.

    I’m on a Mac and have Preview set as my default PDF reader. However, the Equifax confirmation document assumes everybody uses Adobe Reader but doesn’t bother to tell you that.

    The thought came from nowhere to check my downloads and Lo! there in the menu appeared a file named SFF.pdf that originated at equifax.com. In a nice clear Courier font it gave my my 10 digit PIN.

    But gee, Equifax, talk about being user-unfriendly. *shakes head*

  10. Jeff Coz

    Brian,
    Patching, especially with Flash is a constant concern with my employer and with me as the compliance and security analyst. We do subscribe to, for example, an employee training online provider which writes their training courses in Flash. Though we perform an annual training session in which the entire company is required to complete PCI DSS and security awareness, we have employees that also need to complete these courses upon hire. Thankfully Chrome updates the Flash plugin automatically, but IE and Firefox do not. We have a GPO set to disable Flash in IE and Firefox to limit exposure. Discussions are ongoing internally to disable in Chrome and require end users to turn on when absolutely necessary. Problem will be solved if vendors would eliminate Flash altogether.

Comments are closed.