Last Updated: 2015-01-25 02:30:43 UTC
by Johannes Ullrich (Version: 1)
(updated with Jan 24th update)
The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.
|CVE||Fixed in Flash Version||Currently Used in Attacks||Advisory|
|CVE-2014-8440||220.127.116.11 (Nov. 2014)||yes||APSB14-24|
|several||18.104.22.1687 (mid Jan 2015)||yes.||APSB15-01|
|CVE-2015-0310||22.214.171.1247 (late Jan 2015)||yes||APSB15-02|
|CVE-2015-0311||126.96.36.1996 (Jan 24th 2015)||yes||APSA15-01|
So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.