Adobe Patches Flash Flaw Targeted by Exploit in the Wild

Intego.com ^ | April 14th, 2015 | by Derek Erwin

[Swordmaker]

Adobe Systems has released a patch for 22 vulnerabilities in Flash Player, one of which is reportedly under attack by an exploit that exists in the wild. The most critical vulnerability, CVE-2015-3043, could lead to code execution. Adobe's Flash Player security updates are available for Macintosh, Windows and Linux.

"Adobe is aware of a report that an exploit for CVE-2015-3043 exists in the wild, and recommends users update their product installations," said Adobe. If you reached this page because you're unsure if a popup alert from Adobe is real, take a look at our helpful guide for best practices how to safely install and update Adobe Flash Player.

Affected software versions (now out of date and vulnerable) include: Adobe Flash Player 17.0.0.134 and earlier versions, Adobe Flash Player 13.0.0.277 and earlier 13.x versions, and Adobe Flash Player 11.2.202.451 and earlier 11.x versions.

Adobe's security buletin describes the vulnerabilities patched in these updates as follows:

• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043).
• These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-0356).
• These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-0348).
• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358, CVE-2015-3039).
• These updates resolve double-free vulnerabilities that could lead to code execution (CVE-2015-0346, CVE-2015-0359).
• These updates resolve memory leak vulnerabilities that could be used to bypass ASLR (CVE-2015-0357, CVE-2015-3040).
• These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3044).

Adobe Flash users running Mac OS X and Windows computers should update to Adobe Flash Player 17.0.0.169 (14.9 MB) as soon as possible to avoid potential attacks. Linux users should update to Adobe Flash Player 11.2.202.457.

Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Flash Player 17.0.0.169. Moreover, Adobe Flash installed with Internet Explorer (IE) for Windows 8.x will automatically be updated to the latest version when available, which will include Adobe Flash Player 17.0.0.169.

In addition to patching Flash Player vulnerabilities, Adobe has also released security updates for ColdFusion and Adobe Flex—each addressing a separate vulnerability.

[jacquej]

Thank you, Swordmaker, for all you do.

[sparklite2]

Adobe updates software to often that I think they do it deliberately as a marketing gimmick.

[Swordmaker]

Sigh—Once again it is time to update that nest of vulnerabilities, holes, leaks and exploits, Adobe Flash Player. TWENTY-TWO vulnerabilities with one of them with IN THE WILD EXPLOITS are being patched for OS X, Windows, and Linus machines! — PING!

ADOBE FLASH UPDATE on ALL PLATFORMS Ping!

If you want on or off the Mac Ping List, Freepmail me.

[D-fendr]

I don’t think so. I think Flash is, and apparently always will be, a vulnerable vector for exploits.

[BullDog108]

Thanks Swordmaker. I am seriously considering uninstalling Adobe Flash from my boxes. It seems like a month doesn’t go by w/o another security hole in the software!

[Star Traveler]

I’m sure glad Steve Jobs kept Adobe Flash out of the iOS devices!

[Star Traveler]

I second the motion ... :-) ...

[Swordmaker]

Adobe updates software to often that I think they do it deliberately as a marketing gimmick.

If they were that smart, would they be foisting off all this messy spaghetti sieve code on us?

[dayglored]

Many thanks to Swordmaker for this one -- it affects us all.

> Sigh—Once again it is time to update that nest of vulnerabilities, holes, leaks and exploits, Adobe Flash Player. TWENTY-TWO vulnerabilities with one of them with IN THE WILD EXPLOITS are being patched for OS X, Windows, and Linus machines!

Another Adobe Update ... PING!

You can find all the Windows Ping list threads with FR search: search on keyword "windowspinglist".

[FreeInWV]

I uninstalled it (a painful task) about a year ago. It had an installer/updater constantly running on my machine. There is zero need for that. Just really suspicious and a security vulnerability IMHO. I haven’t missed it at all.

[tubebender]

Why doesn’t Apple/Safari do these updates like Firefox does?

[Swordmaker]

I uninstalled it (a painful task) about a year ago. It had an installer/updater constantly running on my machine. There is zero need for that. Just really suspicious and a security vulnerability IMHO. I haven’t missed it at all.

The more people who uninstall Flash Player, the quicker the troglodyte web designers who use Flash will get the message and just use HTML 5 for video content playback or coding of animations. . . and the faster we can kiss Flash and its mess of spaghetti sieve code goodbye for good.

[Vendome]

Adobe is the Biggest POS resource hog.

We should move to 724 or Apple

[Swordmaker]

Why doesn’t Apple/Safari do these updates like Firefox does?

You can turn on automatic download and install of updates. . .

If you are running OS X.9 Mavericks, or OS X.10 Yosemite, use this procedure:

1. Open “system preferences” from Apple Menu (or from Apple Dock)
2. Click on App Store
3. Check "Automatically check for Updates" (if it is not already selected).
4. Check "Download newly available updates in the background" (if it is not already selected)
5. Check “Install App Updates”(If it is not already selected)
6. Check "Install system data files and security updates" (if it is not already selected)

You'll need an Administrator's name and passcode to open the Preference Pane and to finish the set up, if I recall correctly.

If you are using OS X.8 Mountain Lion, use this procedure.

1. Open "System Preferences" from the Apple menu (or use the "System Preferences" icon on the dock).
2. Click on "Software Update" in the System section.
3. Click on the lock icon, if needed, to allow settings changes to be made.
4. Check "Automatically check for Updates" (if it is not already selected).
5. Check "Download newly available updates in the background" (if it is not already selected)
6. Check "Install system data files and security updates" (if it is not already selected)

For users of OS X.6 Snow Leopard and OS X.7 Lion follow these instructions:

1. Click on "System Preferences"
2. Click on "Software Update" in the System section
3. Check the box for "Automatically Check for Updates" and set to pull updates daily
4. Check the box for "Download newly available updates in the background."

After any of these, click the pad lock to re-lock the Preference Pane, then close the System Preference window which will also close the System Preference App.

[rarestia]

*facepalm* Why is Flash allowed to continue to exist? I wish everyone would just move to HTML5 and be done with it.

[Swordmaker]

*facepalm* Why is Flash allowed to continue to exist? I wish everyone would just move to HTML5 and be done with it.

[rarestia]

It’s a garbage platform! It’s the equivalent of Windows XP patched to the hilt.

[Windflier]

Done. Thank you, Swordmaker, for the timely alert.