Flash has already suffered three zero-day exploits in 2015

Back in 2010, Steve Jobs called for the death of Flash. Five years later, the need for Flash is diminishing, but days like this make one wish the process were further along.

The year for Flash started with the CVE-2015-0310 security bulletin and the corresponding fix, version 16.0.0.287. Just as that fell into our hands, Adobe warned about yet another flaw with CVE-2015-0311 and delivered 16.0.0.296 to the world. Now, in an effort to make this more humorous, Adobe has released CVE-2015-0313 along with the 16.0.0.305 update.

These rapid-fire, back-to-back problems are irritating. The issue is compounded by the hoops one has to jump through to update Flash. The Adobe Update tool only updates Internet Explorer or your Plugin Browser (e.g. Firefox), but not both at the same time. The updater also has a nasty habit of only checking for new builds after a full login—not after returning from sleep. Windows 8 and 8.1, meanwhile, rely on a completely different mechanism that pushes out Internet Explorer Flash updates via Windows Update. Your Plugin Browser in Win8 or 8.1 requires a manual update. And Chrome, unlike Firefox and IE, receives its Flash updates through a browser update mechanism. Got all that?

Malwarebytes is reporting that the latest exploit (CVE-2015-0313) has been under active attack since December 3. Part of the success has been fueled by exploit kits being sold online, making it easy for script kiddies to get into the game. What are the bad guys using it for? Invincea says the poison of choice is crypto ransomware. Given the ubiquity of Flash and the fact that malicious adverts are being pushed on trusted domains, this puts everyone at risk, including laymen and experienced user alike.

With the sad situation laid bare, let’s get to talking about what we can do to close off this vulnerability.

I have one more important detail to provide as I wrap this up. Normally, the PC world gets to enjoy such misery on its own, but this problem also exists for Mac users. Hi guys!

Comments closed
    • Krogoth
    • 5 years ago

    Die, Flash die.

    • Cannonaire
    • 5 years ago

    Only three so far? Looks like Adobe has stepped up their security!

    • UberGerbil
    • 5 years ago

    Does Flash now reliably update when you’re not logged in as an Admin? I found that to be one of the (many) irritating things a few years ago that led me to just uninstall from relatives’ computers (I’d never installed it on my personal machine): if you set it to autoupdate, it would often fail unless you happened to be logged in as Admin. There was even a whole KB article about the hoops you had to jump through to get that to work (and it still didn’t work for me even after jumping through the hoops).

    • UberGerbil
    • 5 years ago

    I uninstalled Flash from a relative’s computer (as I generally do as part of the maintenance process when I get asked to “fix” something). Said relative later complained a certain website no longer “worked.” I replied “That’s a bad website, you don’t want to go there.” I haven’t heard anything since.

    And in my experience it’s generally true: games aside, there is almost no content still in Flash that isn’t pure advertising or malware of one sort or another.

      • silverbacknet
      • 5 years ago

      Lots of news and porn sites still use Flash exclusively, without them Flash probably would already be dead for good. Plus there are tons of old embedded Youtube videos that become linkrot without Flash enabled, it’s too bad they aren’t updated with the simple new code.

      • 3SR3010R
      • 5 years ago

      [quote<]I uninstalled Flash from a relative's computer (as I generally do as part of the maintenance process when I get asked to "fix" something). Said relative later complained a certain website no longer "worked." [/quote<] You should be banned from working on any computer but your own. Today it is Flash you remove, next it will be IE, then it will be [insert whatever you hate].

    • ThatStupidCat
    • 5 years ago

    If you use firefox, click on menu, add-ons, then plugins. Put the adobe stuff on “ask to activate”. Now when you go on web pages those flash videos won’t start unless you give them permission. It’s not that much of a hassle and has really cut down on random crap and random audio. Don’t give it global site permission unless you really trust the site. Even then I prefer to have it ask. Just activate them as needed. After you give it permission you might have to hit the recycle on the address bar but that has happened only on youtube.

    I don’t know if this can be done on IE or Chrome but if someone knows how, can you post it?

      • 3SR3010R
      • 5 years ago

      Flashblock works fine for me on FireFox.

        • destroy.all.monsters
        • 5 years ago

        Also NoScript and RequestPolicy

    • sschaem
    • 5 years ago

    “this puts everyone at risk” … That do not use Chrome

    How do you really solve windows vulnerabilities and stop being a high risk target.

    – Dont install third party software
    – Disconnect your computer from any networks
    – Use a Mac or Android device
    – De-install windows

    • Ryu Connor
    • 5 years ago

    16.0.0.305 for IE on Windows 8 & 8.1 is now available on Windows Update.

    KB3021953

    [url<]http://www.microsoft.com/en-us/download/details.aspx?id=45527[/url<] - Windows 8 32bit [url<]http://www.microsoft.com/en-us/download/details.aspx?id=45529[/url<] - Windows 8 64bit [url<]http://www.microsoft.com/en-us/download/details.aspx?id=45530[/url<] - Windows 8.1 32bit [url<]http://www.microsoft.com/en-us/download/details.aspx?id=45531[/url<] - Windows 8.1 64bit

    • achaycock
    • 5 years ago

    It’s also worth noting that Linux isn’t invulnerable either, although I noticed on my CrunchBang installation that Flash was already on 305 and the same was true for Linux Mint on my system at home. I’ve disabled the plugin all the same, but for anyone on a Debian style release;

    sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get clean

    You might want to disable the -y flag if you want to review your updates first 🙂

    • Flying Fox
    • 5 years ago

    The “Update Flash” Adobe page does not have links to 305 yet, only 296. 🙁

      • south side sammy
      • 5 years ago

      click the link in the thread ( 305 ) above……. when you go to the page you will see a link to adobe on the upper right hand side. There you will get the new update. not that difficult.

        • Flying Fox
        • 5 years ago

        Not terribly difficult, but confusing. If you don’t go to the right side (actually the page is already on Adobe, so “link to Adobe” sounds weird to begin with), but just read the page like normal people do, the Downloads section contains “Flash Player 16.0.0.296 (Win and Mac)”. That is the part that I am not happy about.

      • Shinare
      • 5 years ago

      It does now. Just pushed it out via GPO.

        • Flying Fox
        • 5 years ago

        I’m going to declare that the increased relevance generated by this TR post forces Adobe to finally push out the update sooner. Yay! 🙂

    • mcnabney
    • 5 years ago

    I am not exactly shocked here. Flash is a soon to die application. Any company would be foolish to spend capital supporting a product that has almost no revenue.

      • silverbacknet
      • 5 years ago

      Like the first line of the article, I remember when Steve Jobs said that too. (In fact, I’m pretty sure he said it in 2008.) Yet here we are, 2015 and Flash is still all around.

    • crystall
    • 5 years ago

    Note that if you’re on Firefox vulnerable Flash plug-ins will be blocked from running by default and Firefox should complain loudly about the plug-in being out of date if a page requests it. You can still force it to run though I don’t see any good reason to.

    • 3SR3010R
    • 5 years ago

    Oh good god why all the wailing?

    Had Secunia PSI (v2.0) Installed
    [url<]http://secunia.com/vulnerability_scanning/personal[/url<] Wake up this morning to this screaming piece about the sky is falling Check and see that Securnia PSI has already Auto updated Flash for both IE and FireFox to the latest version already Post this message

      • The Dark One
      • 5 years ago

      3.0 was such a letdown, wasn’t it?

        • puppetworx
        • 5 years ago

        Yes! I don’t know what they did to it but it hangs forever and refuses to update anything automatically for me. It’s a shame, I used to recommend it regularly, now it’s just more startup bloat for people.

        • 3SR3010R
        • 5 years ago

        Yes, it was the dumbed down version. Thank goodness V2.0 still works fine.

      • anotherengineer
      • 5 years ago

      pfff just run a VM on your pc

      rocking out to 98se and netscape muwahahahah

      • davidbowser
      • 5 years ago

      I should never have updated from 2.0. Flash and Java NEVER update correctly now.

      I stopped recommending the corporate version (CSI) to customers because of my experience with PSI.

        • 3SR3010R
        • 5 years ago

        Why don’t you uninstall 3.0 and reinstall 2.0?

    • anotherengineer
    • 5 years ago

    “I have one more important detail to provide as I wrap this up. Normally, the PC world gets to enjoy such misery on its own, but this problem also exists for Mac users. Hi guys!”

    LOLZ

Pin It on Pinterest

Share This