June 23, 2015

Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.

In an advisory issued Tuesday morning, Adobe said the latest version of Flash — v. 18.0.0.194 on Windows and Mac OS X — fixes a critical flaw (CVE-2015-3113) that is being actively exploited in “limited, targeted attacks.” The company said systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets of these exploits.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all. In a happy coincidence, earlier today I published a piece about my experience going a month without having Flash Player installed. The result? I hardly missed it at all.


23 thoughts on “Emergency Patch for Adobe Flash Zero-Day

  1. i byte so therefore im bit

    I went on holiday for a week and had no devices, never missed them. and still when i returned my work was still there, with extra while i was gone. amazing how that works, isn’t it? didn’t even take any pictures. they are all in my head, only for me to remember and enjoy. and that’s the way things used to be, and we liked it!

    1. bob

      “that’s the way things used to be, and we liked it!” You mean, “that’s the way you liked it”. If “we” liked it, we wouldn’t haven’t invented the camera.

  2. James

    How long until MS releases its patch for Flash on Server 2012 or IE8 for admins to use?

    1. SalSte

      Why on Earth would any sysadmin be using Flash on a server?

      1. Todd

        I have admin tools that require flash, which is kind of depressing.

  3. Mike Adams

    Brian,

    Could this have anything to do with not being able to Log In to Chase Bank this morning? Getting certificate warnings and warnings about Chase using weak SHA-1 hashes.

    Enjoyed your show at CEIC.

    Thanks,

    Mike

    1. Cavoyo

      I doubt those certificate warnings have to do with this Flash vulnerability. The reason you’re getting those warnings is because SHA-1 has known weaknesses, and these weaknesses will make creating a fraudulent SHA-1 certificate feasible within the next few years.

      So Microsoft, Google, and Mozilla have decided to phase out support for SHA-1 certificates to stay one step ahead of the attackers. They’re doing this gradually, so you may be able to click through the warnings and access the site. However, the only long-term solution is for Chase to upgrade their certificates to use SHA-2.

  4. Angus

    Why install both the IE and Firefox players if you surf with Firefox or Chrome. Since I never surf with IE I uninstalled the ActiveX Flash Player.

    1. JCitizen

      Why install it at all? Youtube works without it on all browsers now according the their site. I’ve tested many browsers that didn’t need it before that time.

      The only reason I and many of my clients need it, is because we have applications that don’t operate without it. So we are tethered to it like so many of us victims that need java on the machine – all because of some application or another that just has to have it.

  5. qka

    Beautiful, coming right after your post on how to live without Flash!

  6. Susan

    What’s weird is the updates are out on the download center as of 11 hours ago.
    Security Update for Internet Explorer Flash Player for Windows 8.1 for x64-based Systems (KB3074219)
    http://www.microsoft.com/en-us/download/details.aspx?id=47697

    Security Update for Internet Explorer Flash Player for Windows 8.1 (KB3074219)
    http://www.microsoft.com/en-us/download/details.aspx?id=47696

    Security Update for Internet Explorer Flash Player for Windows Server 2012 (KB3074219)
    http://www.microsoft.com/en-us/download/details.aspx?id=47699

    Security Update for Internet Explorer Flash Player for Windows 8
    for X64-based Systems (KB3074219)

    https://www.microsoft.com/en-us/download/details.aspx?id=47698

    Security Update for Internet Explorer Flash Player for Windows 8
    (KB3074219)
    https://www.microsoft.com/en-us/download/details.aspx?id=47695

    Security Update for Internet Explorer Flash Player for Windows Server 2012 R2 (KB3074219)
    http://www.microsoft.com/en-us/download/details.aspx?id=47700

    KB is Missing in action: https://support.microsoft.com/en-us/kb/3074219

    1. Angus S-F

      I downloaded the MSI installer from the distribution page using WGET, which preserves the date/time stamp of the file (unlike a browser download). It is dated Friday, ‎June ‎19, ‎2015, ‏‎11:33:59 PM.

      Usually when there is a security fix to Flash Player, Adobe AIR gets the same fix. However, the “Adobe AIR Release Notes” page (https://helpx.adobe.com/air/air-releasenotes.html) links to a combined Flash 18/AIR 18 Rel.Note which implies that only Flash was patched, not AIR. The file on the AIR distribution page is still the old one from June 2.

  7. Jeff O'Byrne

    To make it even worse, they require that the system password be TYPED! It is almost impossible to type a good password into the old-fashioned asterisk password box. Time to just remove it again.

  8. dbalad

    The Flash vulnerability is a heap overflow attack. Provided you are using MS EMET this zero day issue should have been mitigated for you.

    Yet another reason to run EMET.

    1. BrianKrebs Post author

      Not so sure about that. From FireEye’s report on this exploit:

      “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques.”

      https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

      1. Peter

        No, he’s right. In addition to what you wrote, a vital step for this malware is heap spraying. EMET would have blocked that.

        Note, IE11’s 64bit mode (present in advanced settings) also helps somewhat.

        Last, using ActiveX filter mode (tools -> filter) is a 100% protection as well.

  9. IA Eng

    I can see regular patches for Operating systems, but with java and flash, these programs – even though they ride on an OS, shouldn’t need as many patches as they get over the years.

    Its mind boggling to think about all the patches that these programs have used. I personally have software in the network security field that is “phasing out” Java, and in one some instances, uses flash.

    I look at the big corporations that produce this software and think to myself….if their operations system requires a ton of patches throughout its builds, and they do java – and these require a ton of patches – why doesn’t virtual box need constant updates?

    Typically (even stereotypically) if processes are close to the same for two relatively large projects, the third more than likely should have issues as well. I tend to steer away from virtual box, since the corporation seems to be patch heavy in other regards. VB may be sound right now, but if it ever has a major issue, I can nod to myself and say that I avoided that clusterpatch ordeal.

  10. Pat Suwalski

    Yeah, it’s amazing to me that VMware actually went TO flash as their main administrative tool with recent versions of ESX. That’s a boneheaded move, if I’ve ever seen one. It’s way slower, too.

  11. Chris Thomas

    Seeing as its an out-of-course update, let’s hope that Adobe raises its dismal automatic update performance. Those non-tech users who rely on automation of Adobe updates are sadly let down. I have often found that two weeks or more can pass while the scheduled Adobe update jobs fail to persuade the Adobe servers to relinquish updates. Does Adobe really take seriously the integrity of its users’ security and data privacy?

  12. Mike

    So I guess IE6.0 on WinXP isn’t affected and is perfectly safe to use?

  13. Ian McKenzie

    Like many of you I have struggled with the decision to unilaterally remove Adobe’s Flash from all systems under my control for some time now. However, as industry professionals with even a basic understanding of the constantly evolving threat landscape that we operate within, and with the now wide availability of HTML5 as an effective replacement technology, I believe that we can no longer reasonably afford, in good conscience, to make such a concession on behalf of our users. To allow continued use of such a statistically unreliable software platform on your network is seriously bordering on negligence if not outright incompetence.

    I can’t help but recall the statement from Steve Jobs back in 2010 on the matter of Flash availability, or lack thereof, in Apple’s products. It was rather unpopular at the time. Link to full statement at the bottom.

    “Third, there’s reliability, security and performance.

    Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.

    In addition, Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it. Adobe publicly said that Flash would ship on a smartphone in early 2009, then the second half of 2009, then the first half of 2010, and now they say the second half of 2010. We think it will eventually ship, but we’re glad we didn’t hold our breath. Who knows how it will perform?”

    https://www.apple.com/hotnews/thoughts-on-flash/

  14. Michael Iger

    I hate the Adobe nuisance site adons. They could at least keep the garbage unchecked.

Comments are closed.