28
Dec 15

Flash Player Patch Fixes 0-Day, 18 Other Flaws

Adobe has shipped a new version of its Flash Player browser plugin to close at least 19 security holes in the program, including one that is already being exploited in active attacks.

brokenflash-aThe new Flash version, v. 20.0.0.267 for most Mac and Windows users, includes a fix for a vulnerability (CVE-2015-8651) that Adobe says is being used in “limited, targeted attacks.” If you have Flash installed, please update it.

Better yet, get rid of Flash altogether, or at least disable it until and unless you need it. Doing without Flash just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). This link should tell you whether your system has Flash and if so which version of Flash is installed in your browser.

Tags: , , ,

37 comments

  1. Doesn’t yet seem to be an update for IE11 on Windows 8.1

  2. My company has been Flash free for a while now, other than a few wierd sites hat STILL insist to working in the dark ages with Flash, it’s been a breath of fresh air not having to deal with the constant updates and security issues related to Flash sites…

  3. Bruce Altschuler

    When I tried to download the latest update to Flash Player for Windows, it asked the usual question, did I read and consent to their agreement. Unfortunately, when I looked at the conditions, they were in Arabic, so I quite the download. Has anyone else had this problem?

  4. Dark ages – Flash? I wouldn’t exactly call HTML5 and CSS the age of Light. I don’t particularly like Adobe’s approach to their Flash PLayer but can we get of the continual and sustained bashing of a technology. Software companies release fixes to their product all the time and you never hear anyone going oooh yeh, my companies been mySQL free for ages… Updates to product will always happen…Get over it
    And Krebs – give it a rest….

    • Do you work for Adobe? Just wondering if you forgot to add that disclaimer in your post.

    • You talk almost as if you somehow blame Krebs for this. There is a serious problem with Adobe products. It should be obvious (to the world).

      “…Updates to product will always happen…”

      lol….yeah right! Sure! They can do whatever they like. I have no need for their updates. Adobe can keep their updates. For Flash and everything else they make. No, updates happening here. Who are you to tell other people that they MUST have Flash on their machines? You get over it!

    • Dude, Flash is one of the most common means of infection for the past few years. The application has way to much access on systems and way to little user controls to restrict it’s ability to run code. If it wasn’t for Flash and it’s crappy coding we might have HALF the infections from web use or less in the last few years.
      Their PDF software is just as bad, but there are plenty of alternatives at least.

  5. Went straight to the Adobe Flash Player Distribution page for the unencumbered update downloads: as often recommended (though not here) by Brian. All readers: note the WARNING that now appears at the top of that page.

    • Yup! They’ll skim for every penny they can make off crapware!

      • Yeah I saw that too…one more month before we have to go through the normal route…

        I can’t think of a good reason they’d do this other than to increase the money take they make off the additional crapware installations they’ll get from the careless users.

    • All well and good for checking. Unfortunately, from there, you must link to this page in order to install the latest version. And that is where you must be wary and aware every time to “opt out” of otherwise-automatic installations of crapware along with your new Flash. Brian’s recommended (and soon to be “decommissioned”) page for new versions always offered clean installation links.

      • Yup, the preferred “distribution3” page is going away on January 22nd.

        Has anyone figured out how much Adobe earns off the commissions from the crapware co-installs foisted on unsuspecting users during Flash updates? Or, maybe a Deep Throat within Adobe could leak that figure?

        I see that after installing the update via the page they want you go use culminates with a trip to an Installation Success page with yet ANOTHER product advertisement to their captive audience; mine pointed to:

        https://get.adobe.com/flashplayer/completion/adm/?exitcode=0&type=install&re=0&appId=200

        • The stock price of ADBE is about 35 dollars higher than it was 12 months ago, has valuation over 96 Billion dollars. I doubt much of their revenue growth came from automatic installs of non-Adobe software.

  6. Wow! Just had an update last week!

  7. For those of us that have to have flash on-board, I always wonder why it seems all three versions need to be updated before any of the version numbers change – used to be, all I had to do was update just one of them, and the other followed automatically. Of course the auto update feature on Adobe has been worthless for nearly a year now(never was stellar).

  8. And so does this effect linux? And why no mobile site?

  9. Thanks for the heads up, Brian.

    I have Flash disabled and enable it whenever needed.
    Quite a few websites, at least of the ones I access, require it.

  10. I’ve completely removed flash from my office PC at this point and aside from the difficulty in finding a bandwidth testing website that matches up to speedtest.net, I haven’t missed it.

  11. Sorry, your computer does not have the latest Flash Player installed.
    ( Your version 20.0.0.228 Latest Version 20.0.0.267 )

    DUH — I suspect there must be more than one lame programmer working for Adobe.

  12. So this update for adobe breaks a dental practice management program called Dentrix, G5 specifically. we had to roll the office back to 18 to get it to work consistently…yeah dental software is bad for security.

    It breaks how the program opens and how it prints documents.

  13. I am sure that you have discussed this elsewhere but I don’t see it – the Update Flash page you linked to tells me that Flash is baked into the Windows 10 Pro Edge browser and I don’t need to update it.
    Really?

  14. Secunia sucks at updating Firefox and it needs an update seems like every other day.

  15. I have discovered that the Flash player update installer download will not run on x86 SSE only processors. The soon to be unavailable full Flash update installer does support x86 SSE only processors.

    Obviously, Adobe’s right hand does not know what it’s left hand is doing.

    Fortunately, the sluggish automatic updates do work.

  16. Thanks for 86’ing the full binary download page which is coming soon, Adobe. Thank you very much.

    PS: FU Adobe and stub downloads/partial downloads which require a live net connection to fully install.

    • What utter commercial stupidity by Adobe to impair access to updates of its FREE Flash player without which Adobe’s customers, who PAY for the Adobe Flash authoring tool, would have many fewer viewers of their content.

      Adobe seems adept at shooting itself in the foot, what with its apparent complete indifference to the security concerns of its users. What a pity it has ruined a very good video player and, as an unintended consequence, probably a considerable revenue stream to itself.

  17. twinmustangranchdressing

    The Flash Player plugin of the Chrome browser on an old MacBook I have access to seemed to get updated without the browser getting updated to a new version. The plugin on the Chromebook I’m using now hasn’t been updated yet. No news has been posted to googlechromereleases.blogspot.com since December 17.

  18. twinmustangranchdressing

    The Flash Player plug-in of the Chrome browser on an old MacBook I have access to seemed to get updated without the browser itself getting updated to a new version. The plug-in on the Chromebook I’m using right now still hasn’t been updated. No news has been posted to googlechromereleases.blogspot.com since December 17.

    (My apologies if this is a duplicate comment.)

  19. twinmustangranchdressing

    There’s now a newer version of the Flash Player plug-in for Internet Explorer (except on Windows 8 & 10), 20.0.0.270.

    • Yep, noticed it once again sets all the security settings back to allow all data and camera/microphone..

  20. If you disable Flash will it continue to automatically update on your browser? Or will you need to update it in the occasions that you need to re-enable Flash so you are not using an outdated (vulnerable) version?

  21. FWIW, there is now an update of Adobe AIR available which brings it to v20.0.0.233.