25
Nov 14

Adobe Pushes Critical Flash Patch

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14

Tags: , , ,

37 comments

  1. The flash download from the link is still 15.0.0.223, even though it says 15.0.0.239. MD5’s are identical to the copies I have of 15.0.0.223, and when installed, says it is 15.0.0.223.

    Not Brian’s fault, but Adobe’s. Hopefully they’ll fix that quickly.

  2. If you download from the Flash homepage (uncheck McAfee if you don’t want it), you’ll get version 15.0.0.239.

  3. Hmmph. Uninstall flash sounds like a better option at this point.

  4. @Alex Blackwell, “good” idea and then go over few hundred desktops and laptops located in few different countries to manually install it. Why should Adobe make the IT department’s all around the globe life easy … after all they aren’t making any money of us.

    I’m with Eric but unfortunately it’s not my decision :(

  5. Strange, from distribution3 page I got .418 on some machines (7241108 bytes) and .424 on others (7241264).

    They were consistently the same, but .424 received only by from another subnet under same isp.

  6. Does this mean an update for PPAPI Flash on Chrome is necessary or just normal Flash (which I don’t have)?

    Thanks

  7. It seems the link from the Adobe blog is throwing a 404:
    http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

    Google has a cached version, meaning the page WAS there. Anyone else seeing this?

  8. Has anybody noticed that the login sequence on eBay invokes the MS Silverlight plug-in? And, remember the (I think it was) the 2008 Olympics in China, when NBC.com did all their videos in Silverlight? Can we drop Flash and, and switch to Silverlight?

    I’m not an expert on these plug-ins, just wondering if that’s a possibility… Silverlight certainly seems more stable, and that’s from a guy who regularly bashes Microsoft’s competence! 😉

    • Silverlight isn’t supported on as many platforms as Flash, and it’s had its share of security updates too. They just don’t stand out as much because they tend to get lost in the crowds of updates Microsoft releases.

      HTML5 is slowly taking over, so both Flash and Sliverlight are actually on their way out.

      • The number of Silverlight security issues is miniscule compared to the number of Flash exploits. Give me a real life example where someone got hacked because they used Silverlight.

        • Carsten, there are plenty of documented cases where exploits kits or other widely used tools have bundled Silverlight vulnerabilities. Just for the fact that there are >100 million Netflix users alone makes it a nice target for the bad guys.

          • I was asking for real life attacks that got through the front door because of Silverlight. I’m not aware of any. After you get through the front door if you are able to get to another room by using a Silverlight vulnerability is of lesser concern to me.
            Brian why don’t you post the number of Flash vulnerabilities vs number of Silverlight vulnerabilities. I’m willing to bet that it is more than 10 to 1.

            • Unfortunately it doesn’t matter whether SilverLight is more secure because for the small number of websites that make use of it the increase in attack surface isn’t worth it. Just my two cents.

            • Just because you’re not aware of Silverlight vulnerabilities doesn’t mean they don’t exist.

              Silverlight gets updates the same as Flash does, and if not for security updates why do you think they have updates? It’s not for new features – HTML5 is going to inevitably kill both Flash & Silverlight for all but the most extreme corner cases.

              If anything Silverlight is a more inscrutable black box than Flash, because it’s extremely limited use means fewer miscreants are looking at it for exploits. The exploits that are found are patched, same as anything decent out there, but it’d be foolish to assume there aren’t more exploits lurking in Silverlight. Or that the patching cycle wouldn’t kick into high gear if the world switched over to it. It’s a Microsoft product, after all.

              • How many times has Microsoft released an emergency patch for Silverlight? How many times has Adobe, like here, released an emergency patch for Flash? Just look at the headlines here at krebsonsecurity. I don’t recall ever seeing Brian urging people to update Silverlight because there was an active attack.

            • Here are a couple results from a search for “Silverlight exploit payload:”

              From Microsoft’s own site: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:JS/Axpergle#tab=2

              From MalwareBytes:
              https://blog.malwarebytes.org/exploits-2/2014/05/malvertising-campaign-on-popular-site-leads-to-silverlight-exploit-zeus-trojan/

              The payloads mentioned here are dangerous stuff, banking Trojans to be precise. I acknowledge your main point, which is that Silverlight’s track record looks much better than Flash Player’s. But in either case, I would prefer to switch them off by default, and enable them when needed. Turning on click-to-play and/or ActiveX Filtering is a good proactive move IMO.

  9. Google finally got off their ass and pushed a Chrome update (as of ~15 minutes ago) containing the patch. That took long enough.

    • They have yet to update the dev channel of Chrome (because I like my browser to act funky sometimes. heh). It’s still on Flash v15.0.0.223.

  10. HTML5 at 100% can’t come fast enough for me. Flash is an unmitigated disaster.

  11. Installed no problems for use with Firefox 33.1. Also the Firefox Developer Edition is doing almost daily updates now and that’s how I found out about this flash update patch.

  12. “Installed no problems for use”

    Except it’s proprietary so you don’t really know what it’s capable of.

  13. I love how easy it is to updated chrome lol. tks.

  14. Do we really need Shockwave – it has crashed on Mozilla four times this past week?

  15. My Chrome won’t update.
    “Update failed (error: 7)An error occurred while checking for updates: Egads! Installation failed. Please try again. Error code = 0x00000000.”

    • You may want to uninstall and reinstall chrome.
      Make sure your bookmarks ate synced with your Google account first: settings> advanced sync settings
      Or
      export your bookmarks:
      Options> bookmarks> bookmark manager>organize>export bookmarks to HTML file

  16. When I see this, I get the same feeling I get when it’s time to pay taxes: again, and no there’s nothing I can do.

    Adobe has been pushing critical security patches for its flash player software for 10 years now. You’d think they would have learned how to build secure application. Seems not.

  17. So I’m always confused on how these things affect us linux users…

  18. ARRRG!! We (I) JUST finished updating a new image that will get used on dozens of machines. The wait was based on waiting long enough to catch November’s Patch Tuesday. In the meantime, we had how many FireFox updates all within three weeks?? Plenty! Thankfully, we weren’t able to put it out just yet but for two machines as field testors. I can update the image again, but at this rate, I might as well wait for December’s PT releases. Another FF update is sure to come over the long weekend (US Holiday).