April 28, 2014

Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.

brokenflash-aThe Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link.

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In its advisory about this vulnerability, Adobe said it is aware of reports that an exploit for the flaw (CVE-2014-0515) exists in the wild, and is being used to target Flash Player users on the Windows platform.

That advisory credits Kaspersky Lab with reporting the vulnerability, and indeed Kaspersky published a blog post today detailing two new exploits that have been spotted in the wild attacking this vulnerability. Both exploits, according to Kaspersky, have been used in so-called “watering hole” espionage attacks, an increasingly common attack technique involving the compromise of legitimate websites specific to a geographic area which the attackers believe will be visited by end users who belong to the organization they wish to penetrate.

This is the second time in as many months that Adobe has shipped a patch to fix a zero-day vulnerability in Flash. What’s more, a well-known Flash exploitation technique was implicated in a separate Internet Explorer zero-day attack that Microsoft warned about yesterday.

While Flash is required by a great many Web sites, there is no reason to let this browser plug-in run content automatically when you visit a Web site. Rather, I’ve urged readers to rely on “click-to-play,” a feature built into Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari)ย that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them. For more on setting up your browser to use click-to-play for Flash and other browser plugins, see Help Keep Threats at Bay with Click to Play.


88 thoughts on “Adobe Update Nixes Flash Player Zero Day

  1. SFer

    I have Firefox 28
    running great,
    under Ubuntu Linux 12.04 (LTS).

    FF shows my installed version of Flash as:
    version 11.2.202.350.

    Q:
    How do I update my Flash to the (latest)
    version 11.2.202.356 ?

    My Ubuntu 12.04 Updates Mgr,
    shows: “Everything up to date”,
    without a choice for the latest Flash version…

    Do I have to install the latest Flash manually?
    How do I do that?
    Help!

      1. SFer

        Thanks, Brian
        and Rabid Howling Monkey (love that alias!).

        Will wait a couple days
        to see if Ubuntu 12.04 LTS
        shows the latest Flash version,
        as “available”
        in the Ubuntu “Updated Mgr”.
        Then, it should be very easy to update Flash.

        The manual procedure
        to update Flash in Ubuntu Linux,
        is beyond me (for the time being).

        Thanks, both!

      2. bill

        Brian,

        RE: the instructions on your previous post “Help Keep Threats at Bay with Click to Play” that you referred to above; the instructions for the Firefox browser have changed since that page was written.

        Firefox now requires that you enable click to play for each plugin separately as shown here on the firefox help website:

        Firefox no longer do “click_to_play” option
        https://support.mozilla.org/en-US/questions/967180#answer-464630

        hello nemoload, if plugins.click_to_play is set to true, you can go to firefox > tools > addons > plugins where it’s now possible to set this on a per-plugin basis…

        you need to select “Ask to Activate” instead of “Always Activate” or “Never Activate” to get the click to play functionality

        I would have posted this under the other page, but there is no longer a post option. Thought you would want to know, so you could update how to set up click to play in firefox on your prior post.

    1. Rabid Howler Monkey

      Keep watching for Ubuntu updates. When the updated Flash Player is available, update it.

      And, in the meantime, take some solace in that it’s Windows, primarily, and OS X (aka Macs), secondarily, that tend to get attacked by the [mass] malware miscreants.

      If you have not already installed the NoScript add-on for Firefox, now would be a good time. Use the NoScript Whitelist to manage your frequently-visited, legitimate web sites. Web sites that are not in your Whitelist are precluded from running browser plug-ins such as Flash Player as well as JavaScript. In addition or alternatively, you might consider implementing “click-to-play” as described at the end of Brian’s article. These actions will lower your web browser-based attack surface significantly. Defensive computing is also recommended for Linux, because you never know …

      1. SFer

        Thanks Rabid Howler Monkey! (coolest handle on the web…).

        less than 24 hrs. after Brian’s alert to upgrade Flash,
        the Linux Ubuntu Update Mgr.,
        showed the latest version of Flash for Linux,
        as “available”.

        One mouse click and I was done!

        I wonder how I would have done the Flash upgrade “manually”, in Ubuntu Linux.
        (ie: as soon as the Flash new version
        was available at Adobe’s site).

        I think it’s a file with extension “.SO”.

        Anyone can outline baby-steps for a
        “manual update” of the latest Flash
        in Ubuntu ? (12.04 LTS here…).

        Much appreciated!

  2. mbi

    This optional opt-out for McAfee Security Scan software is a pain in the neck. I doubt after downloading this and then uninstalling it I’d ever use any McAfee products. What a stupid stunt by both McAfee AND Adobe.

    1. Old School

      Here is the simple system that I use. It bypasses the junkware. I put two links in a browser folder
      1. Make a browser folder called Version Info then add the following two links to the folder.
      2. Link name: Flash Player Version Number
      URL: http://www.adobe.com/software/flash/about/
      3. Link name: Flash Player Distribution
      Url: http://www.adobe.com/products/flashplayer/distribution3.html

      Note: only primary information sources are used, no third part source or software. There may be other Adobe pages that are browser specific but these two pages work for me. I have started to uninstall previous versions before installing the new version.

    2. Danny Gleason

      Absolutely agree, my option of Adobe and McAfee continue to drop.

    3. JCitizen

      I always refer to them as McCr@ppy!! I hate that company!! ๐Ÿ™

      1. Bob Brown

        Default crapware installations are a bane. They call into question the integrity of the operators of the host site. Are you listening, Adobe?

  3. Hugh Harwood

    Does this latest Flash update also fix the problem that caused 2006 / 2007 Intel based Mac’s from displaying video in their last update?

    1. SeymourB

      It should, since the previous Mac-only update contained a fix for that.

  4. Anonymous

    Assume title should read ‘Fixes’ not ‘Nixes’.

    This is something I no longer have to worry about. Having taken your advice and removed flash, adobe and java from my system, I’m now using Firefox for every day browsing and Chrome for when flash is required.

    1. BrianKrebs Post author

      What’s wrong with “nix”? It means to do away with. I get tired of using “Fix” all the time.

      1. Anonymous

        My apologies, I searched ‘Nixes’ and came up with ‘a water spirit that draws its victims into its underwater home’ so assumed it was a typo. Upon searching nix, it does seem when used as a verb that it could be fitting, though more in the sense that it ‘prohibits’ the flaw from being exploited. In doing so it does ‘do away with’ the flaw.

        Appreciate the reuse of words can often irk the writer and you can become actively conscious when using it each time.

        I wonder if you were still at the Washington Post that an editor might have suggested something a little more dramatic. Adobe Update Crushes Flash Player Zero Day. Now that’s an eye catching headline.

        1. meh

          Crushes? It wouldn’t be true though… Something more like ‘Adobe lazily attempts another pass at their security whack-a-mole’ would be more apt.

          ๐Ÿ™‚

          1. SeymourB

            It’s like the old quote about every new Windows release adding so many bugs that some of the older bugs stopped working.

  5. Chris Thomas

    Thanks for the invaluable information Brian. No doubt we would have had to wait for many days before the Adobe Flash automatic updates took effect.

    You can manually run the Windows scheduled tasks for Flash update until you are blue in the face and still nothing happens. There is no viable alternative but to download and run the installation files if you want to run Flash safely.

    1. meh

      Does anybody know if there is a way to shorten that excessively long window? Isn’t it like 30 days before it auto-updates? Is that hard baked into the program or is there a config setting somewhere to override that?

        1. meh

          That is just the notifications, 95% of our corporate machines are limited users who can’t install their own updates and I think the built in auto-update feature is 30 days.

      1. JCitizen

        Not exactly an enterprise solution, but File Hippo’s Update Checker released the Adobe update at least as soon as the day Brian’s article came out. I keep reading glowing reports about Ninite, but haven’t tried it yet.

        If you mean the IE flaw, there is just no getting MS to hurry up.

  6. Tim A

    I can’t help but wonder how many security updates fix holes that were created in previous security updates.

    1. JCitizen

      Seems like that actually happens at least once or twice a year – a couple of days after a patch – here comes another one – with apologies in the news!

  7. TheOreganoRouter.onion.it

    Thanks for the heads up on this one

    1. Chris Thomas

      So that’s why Brian’s site has been blocked by OpenDNS phish blocker. It’s not blocked now.

  8. Stratocaster

    Hmm… Internet Explorer is conspicuous in its absence from the list of click-to-play-compatible browsers. Which is one reason among many why I read your column using Chrome. BTW, our enterprise-standard browser is Internet Explorer 8. Donโ€™t ask….

    1. mechBgon

      In IE, you would use ActiveX Filtering as your click-to-play. Gear icon > Safety > ActiveX Filtering. When there’s a checkmark, it’s enabled. Unfortunately for your work system, it debuted with IE9.

  9. chasm22

    Well, for anyone running the latest version of Win 8.1 and I.E. 11 here’s something to watch out for.

    I run Chrome but I update IE as a matter of routine, if there is anything routine about IE. Anyways, IE on Win 8.1pro defaults to certain settings which are both a good thing and,IMO, a real bad thing.

    My computer had Shockwave Flash Object disabled in the add-on manager. The second and equally important thing is that under settings/safety the activeX flitering was set to enabled.

    Both these settings are positive if you want to disable Flash, but they also make it impossible to update the flash player via Windows update. Windows update now includes critical updates for this, and will do it automatically if you are setup that way for updates, however if you have flash disabled AND/OR activeX filtering enabled you won’t receive the update. You not only don’t receive it, but amazingly you aren’t even informed of it. Meaning if at some point you enable the flash player you won’t be running the latest version.

    To further compound the seriousness of this oversight, Adobe will keep giving you the same message that says that you have flash player installed with IE and don’t need it. Of course if you search the site you can download to the latest version, but you really get a mixed message from Adobe.

    No, I don’t use IE. I just wanted to possible help out with anyone like me who is dumb enough to keep flash and wants the latest version on any/all of their browsers.

    Microsoft knows any machine running IE 11 has Flash embedded, so the question is why does it matter whether or not you it enabled or disabled. They should be updating it. All the more so because it is embedded.

    1. chasm22

      “IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.”

      Brian,

      Chrome auto updates, but IE 11 doesn’t in my experience. Since it’s embedded(flash that is) in IE 11, shouldn’t that be viewed as a serious flaw. I tried to do the right thing and had flash disabled and activeX filtering enabled, and for doing that Microsoft decided I didn’t need the auto update! And yes, when I enabled flash and turned off activeX filtering, I instantly received the critical update notification! Talk about catch22.

    2. mechBgon

      “Microsoft knows any machine running IE 11 has Flash embedded, so the question is why does it matter whether or not you it enabled or disabled. They should be updating it. All the more so because it is embedded.”

      That’s not really correct. I have IE11 installed on Windows Home Server 2011, Windows 7 and Windows 8.1. Only Win8.x embeds Flash Player, and on that platform, Microsoft does update the Flash Player ActiveX version via Windows Update. They shipped it, they fix it. But only on Win8.

      “Both these settings … make it impossible to update the flash player via Windows update….however if you have flash disabled AND/OR activeX filtering enabled you wonโ€™t receive the update.”

      That is also incorrect. I have a SOHO fleet of Win8.1 Pro systems and they are pulling their Flash Player updates via Windows Update with no problems. And they use ActiveX Filtering, in fact it’s enforce by Group Policy and cannot be disabled by the users.

      Tangentially, I would be glad to see the day when Microsoft releases a utility similar to Secunia PSI that checks for out-of-date third-party software and updates it. But it would probably result in a legal apocalypse. For those who’d like such a utility, Secunia PSI (the installable version, not the Java-driven web version) is a safe bet.

      1. Greg

        If I’m not mistaken, “PSI” stands for “Personal Software Inspector” and the license forbids its use on any “non-personal” (e.g., business) computers.

        1. JCitizen

          Secunia CSI would be the enterprise version I think. Microsoft is so busy trying to reinvent themselves (or better be), I really wonder if they would even think of acquiring a firm like Secunia to make Windows more secure. With everyone headed for the clouds, I wonder about that. I’d compare that with the purchase of Sysinternals.

        2. mechBgon

          You’re right Greg, I forgot to mention that caveat. Secunia PSI’s license agreement only permits personal non-business use.

  10. Hamilton

    Is my understanding correct, that this patch does not do anything to mitigate the separate IE vulnerability announced over the weekend? That vulnerability requires flash player according to FireEye.

  11. Sueska

    Brian,
    Shouldn’t your website display “Apr 28” and not “Apr 14th” since you just posted this article today? Not a biggie, I was confused at first and thought this was an older article. Thanks

    “28
    Apr 14
    Adobe Update Nixes Flash Player Zero Day”

    1. Hamilton

      That’s the 28th of April, 2014. Confuses me sometimes too.

      1. BrianKrebs Post author

        There is also a date and time stamp at the end of every story, albeit in smaller print and different color that the story font.

  12. Bill

    You may want to stress that there are two exploits out there. The Adobe plug in fixes one, and not the other. Both are zero day. The one not fixed by the Adobe plug in is the IE exploit

  13. Rosemary

    Thanks Brian, been following your blog since the NY Times article and spreading the word!

  14. Algeranon

    If Kaspersky knew about this first, did they DO anything immediately to protect against it?
    I have it (for one) and never noticed any actions by it, much less warnings.
    I use flash a lot since it seems to be the youtube, etc. player.

    1. JCitizen

      There is no doubt Kaspersky issued a signature to customers immediately after qualifying the code to identify it – but that means nothing now days, as the same exploit could come in a package that won’t trip the sensors of most AV/AM solutions tomorrow. The crooks are just too good at camouflaging their code to remain detectable for long.

  15. joan

    Oh my God, I’m so glad to tell everyone the real thing that
    happen to me…My name is JOAN. If i refuse to share this
    testimony it means i am selfish to my self and to people i love so
    much whom might have similar problems, March 16th about
    something 7:23pm after taken our dinner my husband got crazy
    started calling a lady name Melisa I love you, i was so mad and
    started crying like a baby…then my husband left home then for
    the idiot called Melisa, and never return back home then i
    believed when he understand his self he will surly come back to
    apology, but instead he left me So i complained to my friend she
    told me she was having such problems in her marriage until she
    was introduce to DR MUK who specializes in bringing back
    broken homes and broken marriages DR MUK cast a spell for
    me in May 4th surprisingly my husband came home May 6th
    apologizing that i should forgive him that it will never happen
    again, i was so glad and gave the thanks to DR MUK who save
    my marriage, if you are having similar problem you can contact
    him and His email address is (DRMUKSOLUTIOTEMPLE@HOTMAIL.COM)

    1. BrianKrebs Post author

      OMG Joan! Thanks for the latest twist on nutty scam emails. I can’t imagine what the scam here is, but go sell crazy somewhere else please.

      1. JCitizen

        HA! Thanks for leaving that one up Brian – sometimes the nuts are entertaining! ๐Ÿ˜€

  16. Gabbar Singh

    Thanks Joan, now everybody knows… And that wasn’t your husband that came home, I traded faces with Dr. Muk, you loser.

  17. Algeranon

    Browser shoes this warning at your website this time:
    ” “This page has insecure content.”

    Issue

    Websites that ask for sensitive information, such as usernames and passwords, often use secure connections to transmit content to and from the computer you’re using. If you’re visiting a site via a secure connection, Google Chrome will verify that the content on the webpage has been transmitted safely. If it detects certain types of content on the page coming from insecure channels, it can automatically prevent the content from loading and you’ll see a shield icon Insecure content shield icon appearing in the address bar. By blocking the content and possible security gaps, Chrome protects your information on the page from falling into the wrong hands.

    What to do if you see this alert

    Parts of the page may not display when Chrome blocks the insecure content. You might want to notify the website owner that their site isn’t properly secured, particularly if it does not display properly.

    Although not recommended, you can choose to override the alert for the page by clicking Load anyway. Chrome will refresh the page and load its content, including any insecure content. The URL in the address bar will show https crossed out to indicate that the page is not fully secure.”

  18. Roberts

    Interestingly IE11 and FF29 seem to have updated automatically. First time I haven’t manually installed the update. Both are running current version of Flash *.206.

    Not sure if this is because they’ve changed their updating, or because I was a few hours slower than usual in updating.

    Chrome (as usual) did so automatically as well.

    1. Greg

      As far as I know, Firefox didn’t automatically download updates for Flash Player. Did this change in 29.0? (I updated Firefox to 29.0 on the iMac at the office, decided we weren’t ready to make the leap to such a different UI and reinstalled 28.0. And I’m holding off on updating from 28.0 on my Windows PC at home.)

  19. Algeranon

    Does the Adobe update mean that IE is “safe” now?
    There has been so much talk of IE vulnerability it makes me wonder.

  20. Jeremiah

    Per the original Microsoft advisory, we deregistered the VML library (VDX.DLL) on all of our Win7+Office 2010 systems and have not seen any adverse web rendering impacts. VML should be deprecated. Documents created in Office 2000 could potentially have issues, but I’ve been able to create 2D vector drawings in Office 2010 without VDX.DLL.

    VML has been attacked many times before. We’re going to leave VDX.DLL deregistered and push out the Flash Player update to mitigate this and hopefully break and future attempts to exploit VML vulnerabilities. If you don’t need it and can leave it deregistered, I’d also suggest changing the ACL on VDX.DLL to remove the EVERYONE group, as mentioned in the same Microsoft advisory.

    1. JCitizen

      I couldn’t get the cacl command to work despite elevating the command prompt – I wonder what I’m doing wrong?

        1. JCitizen

          Yes – the Technet article had the command line to deny the everybody group from the ACL. At least that is how I understood it – but I don’t remember needing anything special as far as snap ins or group policy – this was suppose to be a fairly direct universal fix.

    2. Mr Tee

      Microsoft revised the advisory on Apr 29, dropping the ACL workaround, because “…it has the same effect as the Unregister VGX.DLL workaround and is harder to deploy.”

  21. W. Spu

    Just wondering… Will installing the latest Adobe Flash Player (for CVE-2014-0515) mitigate the exploitation of the new Internet Explorer vulnerability (CVE-2014-1776) through Flash? I know it isn’t a patch for this IE vulnerability and that it can be exploited without Flash. The current exploits use Flash but I can’t find any official statement that these exploits will not work anymore when the Flash Player is updated.

    1. BrianKrebs Post author

      There must have been several news publications spreading this rumor or something; I’m not sure how so many people could have come to the same conclusion. Anyway, this Flash patch does *nothing* to protect against the IE zero-day vulnerability. They are two completely different flaws.

      1. Tony Tovar

        I would appreciate it if you made your original article clear on that point. This Adobe update was posted the day after the IE news and your article is labeled, “Nixes zero-day”, so it was an easy mistake to think they were related.

        1. SeymourB

          The mistake requires you to assume that only IE has zero day bugs. Zero day, literally, means the first day a vulnerability is discovered (or publicized). Any piece of software can be affected by a zero day bug.

          In this case IE had a zero day bug publicized over the weekend, and Flash fixed a zero day bug on Monday. Completely unrelated events. Both were zero day bugs.

        2. sergey

          tony you talk as if krebs’s article was somehow unclear or responsible for conflating the two issues. if people make that connection, it is their own faulty assumption.

  22. Algeranon

    This whole mess is so like the other messes.
    The ordinary user gets dazed and confused, and the geeks insult them for it usually.
    Yet it is the geeks who write the messes. The rest of us try and trust them. Yet we keep getting it proved we shouldn’t.
    It reminds me of religions that way.

    1. Tim A

      @Algeranon,

      You hit the nail right on the head there. If only the general public knew or cared that the soul purpose of security updates is sloppy programming.

    2. chasm22

      @Algeranon

      Boy, I know the feeling. As I pointed out at the last Adobe flash update, if you do the right thing in IE 11 and disable flash, turn on ActiveX filtering, etc you get screwed even worse.

      Because then if you go to the link provided by Brian OR navigate to the Adobe site indepently with IE 11, you will be informed by Adobe that you have flash disabled on IE(It doesn’t even apparently recongnize the version) and that you’re running Win8.

      As I’ve stated before, this does you absolutely zero good since you don’t get the version of flash that you have, you’re just told it’s disabled. Which, of course,you probably wanted and already knew. The information you really want can be found in the add-on manager, but as my experience and others have taught me, add-on manager can’t be trusted to give you the correct information.

      The bottom line is as you stated. You follow the websited like KOS, etc looking for helpful information on issues like this, but are totally hamstrung from implementing it.

      Not blaming Brian or anyone else here, because the responsibility lies elsewhere, but if you’re like me and have a version of IE that has flash embedded, do not expect to receive updates if you have flash disabled. Because as of now MS is only updated computers that have flash enabled. Isn’t that sweet? Thank God for Chrome. But unfortunately you still will have to enable flash on IE!! and turn off ActiveX filtering to get the latest auto update. Of course you can go to Adobe too, but ,heh, isn’t the ability to control the updates and the player THE primary reason that MS got the code from Adobe and embedded the flash player? Or was it so they could claim to be doing it while all the while screwing their customers?

    3. anon

      @Algeranon,

      There are striking similarities to some religions embedded in certain OS’s…In fact theres a religion that believes theres 3 levels in Gods kingdom to keep unwanted behaviors from the lower levels from affecting the higher levels. (much like an Admin, Standard and Guest user level.) Also do a google search of the individuals name thats said to have a hand in the microcode for Intel in linux. The calendar in linux also refrences dates to a vast assortment of religious dates. The names of the package sources in linux bear striking resemblance to a newer American born religions names for Gods kindoms as well. Or…I could just be confused from not following my own advice and needing to “unplug” for a while..after all I am browsing and posting to a website in Admin mode (which is a big no-no) but from within a virtual box from which the host is in Standard user and has no internet enabled..(but then theres that whole nasty hypervisor exploit thats damn near undetectable to worry about!!!) Ohh well..so many exploits so little sleep makes for bad combo for me. I tire and sometimes want to throw in the towel..dont know who to trust, what is fiction or fact, and I cant tell right from wrong any more. (I should never have taken that pill..was it red or was it blue????)

  23. anon

    I find it interesting that users of Unbunto distros seem very concerned about a simple “Flash” vulnerability when all the while Unbunto is selling all your data to Amazon and the NSA and refuses to remove the biggest threat of all time. Security is a thing of the past. I would much rather have a simple hacker or hacker group steal all my data then be spied on 24/7 by a group that is above the law and when caught in the act is able to simply write it in to law as being legal. Sometimes we get too busy in our everday lives to think of the tens of millions of brave men and woman that made the ultimate sacrifice to ensure our Constitutional Rights from ALL enemies foreign or DOMESTIC. I simply cannot understand how creating the biggest security breach of all times is somehow supposed to make me feel more SECURE in my HOMELAND.

    1. anon

      just to add…heres a simple command if you want security:

      “# wipe -S r -Z -r /” then after a week when the command finishes, unplug. Security of your machine is now complete!

  24. anon+1

    “Sometimes we get too busy in our everday lives to think of the tens of millions of brave men and woman that made the ultimate sacrifice to ensure our Constitutional Rights from ALL enemies foreign or DOMESTIC.”

    ..or so they would have you think.

      1. JCitizen

        Surprise is right! Who knew MS would come to the rescue of XP users! :O

  25. W. Spu

    At approximately 10 a.m. PDT, Microsoft will release an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Microsoft Security Advisory 2963983. This update is fully tested and ready for release for all affected versions of the browser.

Comments are closed.