New unpatched vulnerabilities uncovered in Flash, Java

Watch where you point those web browsers: Oracle's Java and Adobe's Flash are both subjects of new zero-day vulnerabilities. As Ars Technica reports, a hole in Java and two more Flash weaknesses have been unearthed as part of the Hacking Team data leak.

The Java hole may be the most troublesome. Anti-virus maker Trend Micro warns on its corporate blog that it has detected email messages exploiting the vulnerability addressed to both a NATO member and a US defense contractor. Trend Micro also notes that this marks the first zero-day attack against Java since 2013, and advises disabling Java until the security issue is patched by Oracle.

Ars also details two Flash vulnerabilities, which are unrelated to another Flash problem patched last Wednesday. These security holes are present in the current version of Flash on Windows, Mac, and Linux systems. At present, there's apparently no known attack that exploits these holes, but users should be cautious regardless. Adobe has published a security bulletin and plans to update the plugin this week.

Ben Funk

Sega nerd and guitar lover

Comments closed
    • auxy
    • 5 years ago

    Just set Flash to ‘click-to-play’ in Chrome and disable it elsewhere…

    With Flash, Java, and ActiveX plugins disabled, PDFs set to download-only, and an ad-blocker, browsing the web with IE11 is lightning-fast! (*´ω`*)

    • Nevermind
    • 5 years ago

    Like a bad Marvel sequel.

    • mFvwv0zduc
    • 5 years ago

    I uninstalled Java + Flash some 2 years ago. I am not having any problems since. Neither viruses or security problems. Cheers

    • Techgoudy
    • 5 years ago

    It’s sad, but we live in a world where every piece of hardware, software, and even firmware can be exploited. These articles no longer surprise me anymore because it’s expected that someone will find fault in these programs. No development team is perfect and no product is either. I mean think about it. Two platforms that are installed on a majority of devices in the entire world are bound to be targets of hacking. That is just the way it is. Whatever standards in the future will follow the same fate as Java and Adobe.

    • BlackDove
    • 5 years ago

    You could always use exploit mitigations like Malwarebytes Anti Exploit or EMET like i have been for years.

      • Nevermind
      • 5 years ago

      Good, but probably not good enough. You might want to be sandboxed on top of that.

        • BlackDove
        • 5 years ago

        Sandboxes are easy to break out of.

    • Visigoth
    • 5 years ago

    Why am I NOT surprised with this?!?

    • Goofus Maximus
    • 5 years ago

    I wish someone would teach Hulu how to use HTML5 for their videos…

    • Laykun
    • 5 years ago

    Flashblock, best chrome plugin I’ve ever installed. As you always know that somewhere on the net you’ll eventually need flash to access something you actually want.

    • UnfriendlyFire
    • 5 years ago

    *Attempts to use Pearson eText for an online course with Flash disabled*

    Result? This:

    “Pearson eText Application requires at least Adobe Flash player11.2.0. Click the link to download the latest Adobe Flash Player. Get Flash”

    Yeah, it ONLY uses Flash.

      • Visigoth
      • 5 years ago

      That’s why developers like these need to be shot.

        • UnfriendlyFire
        • 5 years ago

        And management as well.

        “Well if it isn’t broken, why fix it? Funding denied!”

      • Philldoe
      • 5 years ago

      You… have no idea. I did a recent short stint of work for them in the technical help department related to MyITLab and MyMathLab for certain schools requireing specialised Technical support that the main team were unable to provide. I could tell you horror stories.

      9/10 times the main team would have student open up every piece of a browsers built in security features because it was easier to do than help a student or Educator set up an exceptions list.

    • VinnyC
    • 5 years ago

    From my experience, Java’s only function seems to be to disable itself from running. It’ll detect that something is trying to run it, and then give you a wave of pop-ups declaring “not to worry, we’ve disabled this horribly unsafe thing from running!”

    Unfortunately for us IT Admins, java is still a regular thing that has to be dealt with. Web access to things like KVMs and other various systems are all java based and the only way to get to half of them is to have a bunch of virtual machines that have various versions of java installed since it’s so finicky about working with new builds. It’s ridiculous.

    • Chrispy_
    • 5 years ago

    It’s much easier to just assume that no matter how many patches are ever applied to Flash and Java, they will always be riddled with vulnerabilities just waiting to be exploited.

    The biggest vulnerability is the unprepared user who allows the auto-updaters to install the Ask Toolbar, McAfee Security Scan, and [i<][b<]friends[/b<][/i<].

    • brucethemoose
    • 5 years ago

    Absolutely [b<] shocking [/b<] news! Another unpatched Flash and Java vulnerability... who would've thought?

    • anotherengineer
    • 5 years ago

    Uninstall both.

    Done & Done!

      • jessterman21
      • 5 years ago

      Dutifully uninstalled both on my parents’ and in-laws’ 4 PCs last week.

    • TwistedKestrel
    • 5 years ago

    Everyone smug about not having Java installed for at least half a decade line up here.

    Disclosure: I’m one of them

      • Chrispy_
      • 5 years ago

      I’ve only been smug the last couple of years. An overwhelmingly large number of mainstream websites required either Java or flash five years ago.

      I guess if you don’t use any webapps you could probably have survived without them in 2010. HTML5 was only officially finalized eight months ago, after all….

      • LostCat
      • 5 years ago

      I installed Java…for about ten seconds.

      • SoM
      • 5 years ago

      i’m clean from that evil java n adobe for 6 years now

      • homerdog
      • 5 years ago

      I have to use Pingtest all the time and it requires Java for the only subtest I care about (packet loss). Is there any alternative to Pingest that doesn’t require Java?

      • dmjifn
      • 5 years ago

      Yeah…. unfortunately I’m currently stuck until I move away from Crashplan and some Oracle tools. Bleh.

      • chuckula
      • 5 years ago

      I *HAVE* to have Java installed.
      Having said that, I’m not going to get it running from clicking on an email attachment and the browser blocks the java plugin on all websites except the one that requires it.

        • AnotherReader
        • 5 years ago

        Many of us in the corporate world have to use Java. That being said, as chuckula said, it is only used on the websites that require it.

    • Peter.Parker
    • 5 years ago

    Orginal lyrics of “Flash” song by Queen:
    “Flash a-ah, Savior of the Universe ! ”

    Revised version:
    “Flash O-OH, danger of the Universe !”

    • Duct Tape Dude
    • 5 years ago

    Up until today I’ve been updating Flash religiously because of all these security holes, but today I figured “why not just uninstall Flash?”

    I’m not missing anything so far.

      • AdamDZ
      • 5 years ago

      Same here. Looks like most sites I use moved away from Flash. I may miss some ads though 😉

      • trackerben
      • 5 years ago

      Both gone, all a-ok.

    • tsk
    • 5 years ago

    Can flash please die?

      • Peter.Parker
      • 5 years ago

      Is it you, Professor Zoom?

      • Aquilino
      • 5 years ago

      Uninstalled Adobe Flash couple of weeks ago. All websites that I care work with HTML5.
      Not going back.

      • SoM
      • 5 years ago

      and take java with you

        • Wirko
        • 5 years ago

        Google “most popular programming languages 2015”. Or use Bing if you think Google is partial.

      • adisor19
      • 5 years ago

      That’s what Jobs asked in 2010. Always ahead of the times it seems..

      Adi

      • Techgoudy
      • 5 years ago

      So it can be replaced by another product, that will continue to be exploited? I say keep Adobe and Java alive so they can be scapegoats honestly. Every product will succumb to what is happening to Java and Adobe one day.

      • Meadows
      • 5 years ago

      Flash has a number of advantages and some functionality that competing technologies still can’t do.

Pin It on Pinterest

Share This