Tuesday, June 23, 2015

Adobe Flash Zero-Day Attack!
Update To v18.0.0.194 NOW


Adobe Flash has yet-another active zero-day exploit out-in-the-wild. Adobe has therefore pushed out an 'out-of-band' update of Flash to the world today. Get it and install it NOW.

It is version

Apparently, Adobe has not yet finished an update to AIR, which always requires updating whenever Flash is updated. AIR incorporates Flash. Therefore, watch for an AIR update in the very near future.


From Adobe's Security Bulletin for this update: 
Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets. 
. . . 
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2015-3113).  
At this point in time, the CVE's description, beyond what Adobe provides above, is blank. This happens while a developer is working to stop the CVE (Common Vulnerabilities and Exposures) and doesn't want to hand hackers any further clues to its exploitation.

Adobe's details don't note an exploit for OS X. But Adobe provides an OS X Flash update typically because the same exploit is possible on OS X as well.

Me Grumbling

This is what it's like on the bleeding edge of these situations:

This morning I learned that Adobe had finished and released Flash v18.0.0.194. But I couldn't get it via the usual method of going to Adobe's website and clicking the 'Flash Player' link in the bottom right of the page. Adobe kept telling me I was already up-to-date. But I wasn't.

So I went to the System Preferences pane for Flash Player, clicked the 'Updates' tab, then clicked the 'Check Now' button. It too told me I was up-to-date. But I wasn't.

I downloaded what was linked on the Adobe Flash update page anyway. What I got was a barely functional installer that just sat there and did nothing. My guess is that I was running the installer at the time Adobe was pulling down the old update and putting up the new update. Therefore, there was nothing for the installer to download and install.

So I waited around then went back to the Flash update page.  Finally, the Adobe website noted that version was available. But as usual, Adobe said nothing about why the update was available on their update page. I hate that.

Therefore, I went over to Adobe's Security Bulletins page:

But there was no new security bulletin for Flash v18.0.0.194. All they had was the older bulletin from their second-Tuesday-of-the-month update, which was not related. So I waited a few hours and went back again. There, at last, was the relevant security bulletin. It took them long enough! 

Summary: Adobe announced the release of v18.0.0.194 before anyone could download it. When it was available to download, there was no security bulletin to tell you what the update was for. I hate that.

Apple has, in the past, done the same sort of blundering. It's a lack of coordination within a company. If this messing about was regarding some minor feature update, who cares? But when the update is all about blocking an exploit in the wild, we users deserve everything to 'just work' in a hurry. Waiting around for a company to get their security release and explanation together is not professional, at least not IMHO. So Adobe, please get your act together for the benefit of your victims, oops I mean users.

BTW: The usual warning

Adobe Flash is the second most dangerous software you can run on your Mac over the Internet. It's second only to Oracle's ruined version of Java for the Internet. If you don't need to run either of these Internet plugins, uninstall them and trash them.