New Adobe Flash Vulnerability - CVE-2015-0313

Published: 2015-02-02
Last Updated: 2015-02-02 15:12:32 UTC
by Stephen Hall (Version: 1)
8 comment(s)

For those of you who are loosing track, yet another Adobe Flash vulnerability has been unleashed on their unsuspecting users. I am sure we all know the wording off by heart now, but incase:

Vulnerability identifier: APSA15-02

CVE number : CVE-2015-0313

Platform: All Platforms

Quote: "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. "

Many thanks to MJ for the heads up:

1. https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
2. http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/

Steve Hall ISC Handler www.tarkie.net

Keywords: adobe adobe flash
8 comment(s)

Comments

I've updated the IE out of date active x blocking custom manifest repo to mark 16.0.0.296 unsafe https://github.com/mallorybobalice/ie-custom-oob-xml-rules

If anyone wants to try using it this time:
-Readme is in the repo along w deployment hints and pre-reqs
-in default deployment it's disableable click to play for versions marked unsafe (excl trusted sites and intranet) (OK not so much click to play but allow all on site (page?) x)

-let's hope ms will accelerate including out of date flash there on their own (into the auto update version) and soon. Lately they've been using it for Java 7 with no recent public exploits so yea
Having read last week--with great pleasure--that YouTube/Google tipped the balance to HTML5 by making it default, this weekend I installed Firefox 36 beta (the final browser providing support for EME DRM), uninstalled Flash plug-ins from all systems, and disabled Flash in IE via Group Policy. Today I smiled a few times and wrote this comment and one other. Time to consign Flash to the dustbin. Good riddance!
I agree this series of Flash zero days was the straw that broke the camel's back as far as I'm concerned. I've eliminated in my environment, and other than seeing a few missing ads it's been no problem. Now, I have to convince my clients to do it which is going to be be difficult as Flash has been part of the landscape for so long.

Actually, I think these guys possibly have a series of zero days lined up so we are going to be on the emergency Flash update scramble for a while. Why do I think this? First, Adobe Flash consistently has one of the worst track records of all time of severe flaws which Adobe cannot seem to even get a handle on it. Second, this group seems very adept a finding or obtaining Flash Zero days.

Kudos to Google/Firefox and HTML5 for helping to lay the foundations for the total elimination of Adobe Flash. Steve Jobs, yet again, proved he was a true visionary for refusing to allow Flash on iOS. My hat's off you Steve(R.I.P) for taking point on ridding the world of Flash.
Man, that must be nice.

Cisco requires Java to run some of their GUI config tools.
Our web filters require Flash and/or Java to manage.
Then there are other high priority or even business-critical systems that also require these relics, of course. But it's the management interfaces from *security* companies that still require these dang things that boggles my mind.
Cisco requires Java. . .our web filters require Flash. . .

No doubt Java and Flash will be required for some time. Oracle fixed Java primarily by imposing strong certificate authentication or explicit sysadmin exceptions for all Java code conceding that promiscuous execution was no longer viable.

Perhaps now Adobe will follow suit to protect the legacy value of Flash and improve their reputation. Presumably all the direct-revenue-producing Adobe authoring tools now emit HTML5 WebGL and H.264 as readily as SWF, so Adobe will get by just fine.
=) re keeping flash enabled for intranet - again if majority of users are on IE and hopefully for non admin interface cisco tools, could deploy an out-of date active-x blocklist marking flash 25.0.0.0 safe [effectively whitelisting nothing for the internet zone in IE for a while]. Then custom zone settings via local lan or trusted sites(after carefully review what you actually have there and other settings there) (maybe adobe can release something remotely useful in admin mgmt)
Adobe Security Bulletin https://helpx.adobe.com/security/products/flash-player/apsa15-02.html has been updated to show that "Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4". Additional support to follow...
"UPDATE (February 4): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11."

https://blogs.adobe.com/psirt/?p=1171

Diary Archives