SANS ISC: Adobe Flash Player Update Released, Fixing CVE 2015-0313 - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens. I've been Flash free for about a week, and have had a surprisingly good experience other than a few news sites that insist on using Flash for video. I manage my security devices via their management program, and their formerly Flash dependent web interface is not in Flash anymore.

A few year ago, I could not have done this for this long. I realize others are not there.

I'm just worried these jerks have a stack of zero days that they're holding back for release. Having the world as your oyster for 10 odd days must really make these guys happy. Anyway, time will tell.

Yes, I'm jaded, but the eventual death of Flash is imminent. I will be doing everything in my power to help that process along. Boycotting Flash will force the web sites using it to change. Also, shame on these advertising server farms as you are wrecking havoc with your lax policies.

Quoting pdawg:Awesome!!!

Let's just go ahead and start the countdown clock until the next one happens.

Well, keep the "update" button handy... As said in earlier posts this is the "new preferred" methodology of attacks. As you see "cup of joe" (java) attacks reduce, these WILL continue. <sigh>

Of course this would change if ALL, repeat ALL software distribution organizations actually did better testing. We have seen this with MS and their past failed update record. Sad, if we wrote code for a company, how long do you think we would have a seat?

Quote: Boycotting Flash will force the web sites using it to change.

Good luck with that!!!

P.S. Dr. "J" time to update the Sonic Wall information???

ICI2I

Anyone else seeing the update distribution site for the UK has the latest but the US version still has *.296?

APSB15-04 is up, but not linked on the Security page. No sign of the binaries yet.

I just ran the adobe stub installer, making sure to uncheck the boxes for the junkware, and grabbed the stand-alone installer from the pcaps I made when the stub installer was running. Now I have something to deploy to the rest of my users. Going by hand to 70 workstations and running the stub installer just isn't going to happen.

I'm dreaming of a Flash free world though it's going to take a while I will admit. Who's going to budget for rewriting a web site done 8 years ago?

I've tried to go Flash free in the past, and this is the longest I've ever made it. I don't really care about it anymore. I had to reimage one of my fully patched PCs back in late December after using Internet Explorer(Up to date)very briefly where I don't run all of the ad blocking stuff that I run on my main browser. After analyzing my security, Flash was the only culprit or some other unknown IE exploit that could have possibly done it. I have further locked down things even tighter since then.

Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.

While the Adobe Flash Player distribution page is touting 16.0.0.296, the files that are available are actually 16.0.0.305 for both the EXE and MSI packages. Download away!

- Snuffy -

Adobe released a new security advisory for Flash Player -
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

The advisory indicates this latest version addresses CVE-2015-0313 through CVE-2015-3030 inclusive.
That's 18 CVE's!

Quoting pdawg:Ditching Flash is just another part of it. If this keeps up, I may only surf the web in a VM.

Great idea or Onion... Shut down.. Poof.. gone! :o

Note: Adobe did it again!!!

http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe provided the latest 16.0.0.305 uninstaller.

while telling on their download page for Flash it has been updated to 16.0.0.305, they still deliver 296 in the *.exe files, version with holes not fixed. only the *.msi contain the updated .305 update.

http://www.adobe.com/products/flashplayer/distribution3.html

Just tested - this is simply not acceptable.

Goodbye Flash, but brace yourself for the upcoming flood of similar flaws in HTML 5 implementations.

Quoting jbmartin6:Goodbye Flash, but brace yourself for the upcoming flood of similar flaws in HTML 5 implementations.

Yep.. and a whole new level of ignorance to follow...

Hi, long time listener, first time poster
I have been hearing that some are having problems obtaining the standalone msi installer for flash for updating.
The following two links are for direct downloading the msi's for ActiveX and Plugin from Adobe:
http://fpdownload.adobe.com/get/flashplayer/current/licensing/win/install_flash_player_16_active_x.msi
http://fpdownload.adobe.com/get/flashplayer/current/licensing/win/install_flash_player_16_plugin.msi
In the past, when there is a major version change (i.e. 15 -> 16), just change the value in the url link.
I hope this helps people.
Cheers,

Ron Cullen
Hobart, Tasmania
Australia.