New Adobe Flash Vulnerability - CVE-2015-0313
For those of you who are loosing track, yet another Adobe Flash vulnerability has been unleashed on their unsuspecting users. I am sure we all know the wording off by heart now, but incase:
Vulnerability identifier: APSA15-02
CVE number : CVE-2015-0313
Platform: All Platforms
Quote: "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. "
Many thanks to MJ for the heads up:
1. https://helpx.adobe.com/
2. http://blog.trendmicro.com/
Steve Hall ISC Handler www.tarkie.net
Comments
If anyone wants to try using it this time:
-Readme is in the repo along w deployment hints and pre-reqs
-in default deployment it's disableable click to play for versions marked unsafe (excl trusted sites and intranet) (OK not so much click to play but allow all on site (page?) x)
-let's hope ms will accelerate including out of date flash there on their own (into the auto update version) and soon. Lately they've been using it for Java 7 with no recent public exploits so yea
Anonymous
Feb 2nd 2015
9 years ago
Anonymous
Feb 3rd 2015
9 years ago
Actually, I think these guys possibly have a series of zero days lined up so we are going to be on the emergency Flash update scramble for a while. Why do I think this? First, Adobe Flash consistently has one of the worst track records of all time of severe flaws which Adobe cannot seem to even get a handle on it. Second, this group seems very adept a finding or obtaining Flash Zero days.
Kudos to Google/Firefox and HTML5 for helping to lay the foundations for the total elimination of Adobe Flash. Steve Jobs, yet again, proved he was a true visionary for refusing to allow Flash on iOS. My hat's off you Steve(R.I.P) for taking point on ridding the world of Flash.
Anonymous
Feb 3rd 2015
9 years ago
Cisco requires Java to run some of their GUI config tools.
Our web filters require Flash and/or Java to manage.
Then there are other high priority or even business-critical systems that also require these relics, of course. But it's the management interfaces from *security* companies that still require these dang things that boggles my mind.
Anonymous
Feb 3rd 2015
9 years ago
No doubt Java and Flash will be required for some time. Oracle fixed Java primarily by imposing strong certificate authentication or explicit sysadmin exceptions for all Java code conceding that promiscuous execution was no longer viable.
Perhaps now Adobe will follow suit to protect the legacy value of Flash and improve their reputation. Presumably all the direct-revenue-producing Adobe authoring tools now emit HTML5 WebGL and H.264 as readily as SWF, so Adobe will get by just fine.
Anonymous
Feb 4th 2015
9 years ago
Anonymous
Feb 4th 2015
9 years ago
Anonymous
Feb 4th 2015
9 years ago
https://blogs.adobe.com/psirt/?p=1171
Anonymous
Feb 5th 2015
9 years ago