05
Feb 15

Yet Another Flash Patch Fixes Zero-Day Flaw

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. Google Chrome version 40.0.2214.111 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

As I noted in a previous Flash post, short of removing Flash altogether — which may be impractical for some users — there are intermediate solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

My favorite in-between approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit(EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Tags: , , , , , , ,

75 comments

  1. Flash has been “dying” for five years, but it has now passed the time for users to remove or disable Flash altogether. Ever since Apple decided not to support it on the iPhone and iPad, web sites have scrambled to provide HTML5 and JavaScript replacements, and today very few sites don’t have an alternative approach that replaces Flash.

    No web content is worth the risks to your computer that Flash presents. And don’t take my random word for it, because it’s easy to weigh the risks for yourself. Disable Flash in your browser and see if there’s anything you absolutely can’t do on the web. Then, never turn it back on.

    • I’m not an IT expert, but understand the need to be safe on the internet. Thank you for your comment. I’m going to uninstall
      Flash Player and see what happens.

  2. Your link to the “OS-specific Flash download” page is to the French language page. Is that intentional?

  3. Stop falling victim, install malware bytes anti exploit!

    • what are you talking about?

      • I do believe that what Rick was attempting to express there is that we should all install malware byte anti exploit as a method of ceasing to fall victim.

        Hope that helps!

    • A very loud HEAR HEAR! I use it, both the Free and Premium versions. Malwarebytes is in the elite of elite providers of protection against malware for Windows computers.

      I make sure that all the computers I support have it. Great for quite relaxing evenings without people calling me with malware intrusion problems.

  4. The link above to download the standalone installers points to the French page rather than the English page (“Télécharger le programme d’installation EXE”). When I downloaded and ran it, I was kinda disappointed that the on-screen instructions weren’t in French, too.

  5. Here’s the regular English distro page that Brian usually posts:

    http://www.adobe.com/products/flashplayer/distribution3.html

    • This page still posts v .296. Try substituting /uk/ for /fr/ for the English-speaking page with .305.

      • Gotta wonder if the French or British versions would be different because of software export laws. One example of such law is the forbidding of sales of software with encryption keys over a certain length. The length limit is something like 56 bits and the remainder of the key is standardized for export-compatible versions. It’s at the behest of the NSA and goes back a long time, long before the NSA got publicity. So, if Flash has any similar features that are covered by some kind of Dumbing-Down Export Law, then would UK version be dumbed-down?

        • Found answer to my question.

          Downloaded from /fr/, /uk/, and the US side (no extra subdirectory) and then hashed all 6 files, 3 plug-in and 3 active x.

          The files for each type (AX vs Plug-in) are all the same from each location.

    • The English page is still showing version .296. Check the time stamp on this posting.

      Another post noted earlier that the download on the French page still ran with English instructions. Sooo, is it all the same download no matter what page you get it from (if the version numbers were the same, that is) and then it just uses your system language?

  6. If this vulnerability is being exploited in the wild, what sort of web pages are being hacked to send these drive-by downloads to people? Is it websites like Microsoft, cnn, espn, abc, nbc, bbc, amazon, ebay? Or is it more like less known sites? Are certain web publishers more vulnerable to have the websites they host hacked? I think I am missing something, I just do not know what it is.

    • @Michael: It’s not the sites themselves, it’s the ad networks they use. So while cnn.com is not directly hosting/serving any sketchy content, they are embedding an advertisement (and, crucially, that ad’s associated Javascript) in their page. That ad (and its Javascript) comes from an ad network that might offer self-service ad placement, meaning that no human at CNN or the ad network has actually seen the content or, crucially, reviewed the code that was just rendered and executed by your web browser.

      • Your explanation makes a lot of sense.

        A websites that connect their websites to these advertisement networks are knowingly putting their patrons at risk.

        Like for example a day care hiring a convicted predator, who says that he doesn’t do that anymore. They would be putting its customers at risk.

        I think I understand.

      • Bryan, I think you mean “associated Flash” not “associated Javascript”? This vulnerability is in Adobe Flash and is not related to Javascript.

        • A) I was being generic in my explanation, and B) I’m not entirely certain how these Flash exploits work, and just sort of assumed that JS is how it’s all orchestrated. I suppose it would need to be a malicious FLV, SWF, or whatever?

          To be honest I haven’t actually developed with Flash since about 2002, so I just don’t know what gets shat out of the webserver alongside it these days.

          • Even “legitimate” ad servers sometimes are the victims of SQL injections, and can be serving up malicious ads. I get crapware and malicious ads here on KOS all the time, but MBAM blocks the server requests to download more dangerous content. Otherwise my browser seems to be shrugging off any direct attacks to built in flash that Chrome or similar browsers use. I need to review the scripts on Script Safe and see which ones KOS doesn’t purposely host and block them – I just haven’t got around to it yet. It would be nice if Brian posted a legitimate list of scripts that his supporting agencies use, so we would know for sure that way.

  7. As of 10:30 PST, there is still no patch available on the Adobe distribution, nor on Windows update. I have one machine set for automatic updates and it was not patched either (still on .296)

    • I went to the Flash home page at

      http://get.adobe.com/flashplayer/

      and making to sure to deselect the McAfee load, I was able to install both the ActiveX and plug-in versions.

      • Why go through all that trouble?
        I just update Flash every time I get a popup message of “An install of Flash Player Pro is recommended”

        • Clicking to install from a popup is the MOST unsafe way to update your Flash – it is a frequent method used by scammers and hackers. It may seem to be more trouble to go directly to the Adobe website to download the update files, but it will be much safer!

          If you prefer to take a path of least resistance, then I would recommend downloading PSI by Secunia Software. It monitors and installs updates for all your software automatically. I recommend it especially for folks who know little to nothing about computers, you just can’t get any easier than this program – I have been using it for at least 5 years and have never had any issues with it. Oh, and I just checked – my Flash on all my browsers has already been updated to this new version!

          • I use chrome now and just go to settings, about, and it updates. For most people chrome automatically updates itself.

          • I’ve got Secunia PSI, but I really think it is the Adobe auto updater that is doing it for me. It has worked consistently well for the last five updates. Now when I see these KOS articles, I just check the program list to make sure it has already updated, and it has done so each time now(finally!).

    • http://www.adobe.com/products/flashplayer/distribution3.html

      It is still labeled as Flash Player 16.0.0.296 (Win and Mac)…..but you get the .305 version when you download….. I grabbed .305 at around 8:30am MST.

  8. If Google Chrome does not display the “Update Chrome” prompt then click “About Google Chrome” and it will check for updates. Go to “chrome://plugins” to check Flash version number if desired.

  9. I use “FlashBlock for Chrome” by Lex1 for Chrome to keep Flash from running without my knowledge. I remove the Flash Player whenever feasible and my iPhone doesn’t run Flash at all.

    Both Steve Jobs and I have had problems with Adobe. It seems to me that Adobe follows the old Microsoft method of programming where you just throw stuff out there filled with bugs and then charge people upgrade fees to fix it. It’s time for Adobe to get with the new way of doing things; even Microsoft seems to have gotten the message.

  10. Running with 16.0.0.305 but i see file hippo are pushing
    Flash Player 17.0.0.93 Beta on their website this is a bad idea as it does not contain the fix for CVE-2015-0313. untill next week, be careful using betas.

    http://labsdownload.adobe.com/pub/labs/flashruntimes/shared/air17_flashplayer17_releasenotes.pdf

    Just scroll down in the pdf to known issues, oh dear!

  11. Would a website url checker like http://sitecheck.sucuri.net/
    detect this type of stuff?

    I use noscript, jotti malware scanner for my rare downloads (works after downloading a less than 25mb file), malwarebytes free, bitdefender online scan, microsoft security essentials and occasionally site checkers, anyone know if the site checkers work well?

  12. I had a lot of trouble installing the latest adobe flash update on my Vista machine with Firefox. I ended up installing the patch like four times before the update showed it was the latest one.

  13. The title of this post could have been “Yet Another (Yet Another) Flash Patch Fixes Zero-Day Flaw”

    Just think, it’s only Feb. 5th, this month could set a record in the number of Flash patches in one month. Here’s Adobe’s track record over the past 10 weeks:

    11-28-14 Flash Player 15.0.0.239
    12-10-14 Flash Player 16.0.0.235
    01-15-15 Flash Player 16.0.0.257
    01-22-15 Flash Player 16.0.0.287
    01-27-15 Flash Player 16.0.0.296
    02-05-15 Flash Player 16.0.0.305

    P.S. I’m waiting with bated breath for 0.0.xxx to become 0.1.xxx…….. This company instills a lot of belief in their competence, eh? 😉

    • The site flashtester.org shows the bug fix history going back years. Just an *amazing* number of flaws.

  14. Brian Krebs, I sincerely thank you for following your bliss.

    Bonne renommée vaut mieux que ceinture dorée.

    English equivalent: A good name is the best of all treasures.

  15. Brian, as always, I thank you for all your hard work to keep us safe! Adobe Flash updated without a problem. Also was suggested, “Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit(EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.” I downloaded EMET on my 64-bit-Windows 7 machine, which made IE 11 completely unresponsive, so I had to use a restore point to eliminate EMET since I wasn’t even able to delete that program in Program files. Has anybody had that same experience?

    • EMET 5.1 works well on my machine, I had a blue screen of death only once just after installing it, but I think that was caused by a new graphics adapter I installed.

      You should be able to see EMET on CCleaner tools, or Revo Uninstaller, of even the regular Programs applet in control panel. I’m wondering if you got a legitimate copy?

      I just install using the recommended settings so I can avoid too many problems. When I check the settings, most of the protections are enabled for most programs and apps; so I’m pretty happy with this new version.

      • Thanks, JCitizen! I used the link that was given in Brian’s last blog to install EMET. Right after the installation, IE 11 froze completely, but I was lucky to at least get back to normal by creating a restore point that took the EMET installation out. Now I’m hesitant to go at it again in fear of more trouble.

        • I use it with chrome and haven’t had an issue. Do you use a website that requires IE? I think Chrome or Firefox would be safer.

  16. Adobe should release one more, and final, patch for Flash. Its purpose should be to cause Flash to commit suicide and completely remove itself (and any remnants such as Flash cookies) from the user’s machine.

    Continuing to release patches, and hoping that most people will apply them to a clearly buggy and vulnerable product, is delusional on Adobe’s part. If an airplane had to be fixed 3 times in 2 weeks, the FAA would require all carriers to ground the plan.

  17. Thank you, Brian.

    I don’t know what else needs Flash, but Shomi, a fairly new video streaming service in Canada from Rogers and Shaw, will not work without it.
    https://community.shaw.ca/docs/DOC-3648
    “In order to stream video content from shomi.com, shomi requires that you have the Adobe Flash Player installed on your device.”
    I discovered this two updates before this one, when Flash Player disappeared from IE, even though it was enabled, and could not be installed. With this patch, it installed again, without me going to the site. There are reasons people like me find computers mysterious and are grateful for Brian Krebs and other helpful people!

    • So you can’t use Shomi on any i device (iPhone, iPad, iPod)? I’ll be you can which means it really doesn’t require Flash.

      • Bruce Hobbs, You may be right about i devices but i cannot check as I have none. Shomi did not work on IE in the period when I had the mysterious disappearance of Flash player. ( The only clue I had was in order to install, I had to close IE, but it was already closed. Twice I rebooted and tried again to install, but Adobe kept telling me to close IE. Then, magically with this patch, it reappeared without me doing a thing.)

      • http://discover.shomi.com/devices

        Lists iOS devices, so, there’s apparently a Flash alternative.

        Personally, I’d encourage people to avoid shomi. It violates Net Neutrality by only working on one cable operator per region.

  18. I find it rather ironic that in order to check which version of Flash you have on your computer (using Brian’s link), you are obliged to activate Java. That’s the same Java that Brian recommends disabling. Numerous other web sites have the same requirement, sadly.

  19. IE doesn’t have click-to-play, but it does have plug-in whitelisting, which is useful.

    http://www.winhelponline.com/blog/disable-flash-all-but-whitelist-sites-ie8

  20. Why do people still even have flash enabled?

  21. I find the easiest way to check multiple plugin versions at once in Firefox and Chrome is to go to address:

    about:plugins

    (about colon plugins if it doesn’t show up right… Chrome will redirect to chrome://plugins)

    Both will show the versions of the plugins you have installed.

  22. +1 to enabling click-to-play, though it’s easier to do in chrome and Firefox than in IE (if you still use IE). I’m amazed at how prevalent Flash content is around the Internet, but haven’t found click-to-play to be at all an inconvenience.

  23. Adobe, please secure your product. Enterprises are tired of deploying 2-3 packages a month because your software developers don’t follow in-house security protocols.

    I mean, Christ, you’d think you were Microsoft.

  24. Brian, I think Internet Explorer does have the equivalent to click-to-play, namely ActiveX Filtering, which debuted with IE9. It’s easily enabled (gear icon > Safety) and pretty easy to live with IRL. We use it at work and I use it at home. Whether the drive-by threat of the day happens to be Flash, Java, PDF, Office, QuickTime or something else, it’s switched off by default. An easy win.

    For those looking for more easy IE tweaks, make sure Protected Mode is enabled, as well as _Enhanced_ Protected Mode. They’re in the Internet Options panel in the Security and Advanced tabs, respectively. Also enable 64-bit tab processes if you have it. And as Brian recommended, Microsoft’s EMET has a good track record of disrupting attacks.

    Power users can look into application whitelisting in the form of either Family Safety or SRP, which would block execution of the payload even if an exploit did deliver it and try to execute it; I have a how-to at mechbgon.com/srp on the subject.

    In the bigger picture, this tempo of Flash exploits is painting it as the new Java. I might try disabling Flash Player entirely for a while and see what the impact is.

  25. Strange but when I check my flash version at http://helpx.adobe.com/flash-player.html the site doesn’t give the upgrade warning banner but does that indicate the older version number is currently installed.

    Using FFox 35.0.1

  26. therotintheroot

    Funny how every time a major corporation gets 0wned the blame seems to fall on some nation which is either hostile to or out-of-favor with U.S. foreign policy.

  27. Adobe is killing flash on their own. The update site frequently does not work correctly. They make it hard to find the standalone installer. And, worst, they try to force McAfee on you whenever you run the installer. Pimping other software every time there is a security update is pretty lame.

  28. Brian,
    Thank you so much for this information re Flash.
    Two questions from a non-guru:
    How does using click-to-play reduce vulnerability?
    As a Mac user, if I remove Flash, what do I need to replace it with?
    Thanks,
    Michelle

    • Hello Michelle,

      From what i understand it click-to-play replaces all flash with html5, which is much better. That is how it reduces vulnerability.

      Or at least that is what i understood from the notes on ClickToFlash and ClickToPlugin. That is what he recommended for Mac user as yourself.

      Hope this helps.

  29. Malwarebytes Anti-Exploit

    Windows (XP and later) users can harden their web browser processes by using Malwarebytes Anti-Exploit which is free when web browsers alone are protected. Anti-Exploit Free protects browsers with the following executable filenames: –
    chrome.exe
    firefox.exe
    iexplore.exe
    opera.exe

    Anti-exploit protection covers plugins run by the above. This includes Adobe Flash. It provides great protection for zero day threats.

    I have no connection with Malwarebytes, a highly reputable and respectable firm.

    • So we can protect our browsers with mbam for free? I thought all the realtime scans were only a week trial? I’ll have to check it out.

  30. How do I get rid of the zero day flash virus? Have no idea how I got it but I am unable to remove it.