|
[Update] Adobe now updated it's advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3] Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobe's website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash. This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk. Thanks to Christopher for noticing! [1] http://www.adobe.com/software/flash/about/ [2] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html [3] http://blogs.adobe.com/psirt/?p=1160 --- |
Johannes 4511 Posts ISC Handler Jan 25th 2015 |
| Thread locked Subscribe |
Jan 25th 2015 7 years ago |
|
Adobe has updated its Security Advisory for Adobe Flash Player APSA15-01. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post. |
Anonymous |
| Quote |
Jan 24th 2015 7 years ago |
|
Adobe Flash Distribution3 page still has 16.0.0.287 as the available download. No update as of yet.
|
Jared 3 Posts |
| Quote |
Jan 24th 2015 7 years ago |
|
There's an update on Adobe's PSIRT blog http://blogs.adobe.com/psirt/?p=1160
"... UPDATE (January 24): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player, please refer to this post. We will continue to provide updates on this issue via the Adobe PSIRT blog." |
Mark 2 Posts |
| Quote |
Jan 25th 2015 7 years ago |
|
Late, Saturday afternoon, get.adobe.com/flashplayer/ is still installing 16.0.0.287, I've tried twice.
And somebody noticed that the new version showed 16,0,0,296 (commas instead of dots) when it installed for them. Might want to check that it wasn't pushed out too quickly. Corporate GPO push will be waiting until sometime next week for the redistribution exe and msi installers to be upgraded. |
Mark 57 Posts |
| Quote |
Jan 25th 2015 7 years ago |
|
APSA15-01 updated today with this:
"UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post." And: "Revisions January 24, 2015: Updated to include Flash Player version delivered via auto-update. January 24, 2015: Updated to reflect reports that Windows 8.1 is also affected by CVE-2015-0311." From: https://helpx.adobe.com/security/products/flash-player/apsa15-01.html |
FTWMike 24 Posts |
| Quote |
Jan 25th 2015 7 years ago |
|
The Sophos story says it needs to be autoupdate, for the stand alone download installer you'll have to wait. https://nakedsecurity.sophos.com/2015/01/24/adobe-gets-second-flash-zero-day-patch-ready-2-days-early/
|
DFIRRules 1 Posts |
| Quote |
Jan 25th 2015 7 years ago |
|
The Adobe Flash Player Distribution page now has EXE, MSI, and DMG downloads for the 296 update, with the added bonus of no crap-ware add-ons.
http://www.adobe.com/products/flashplayer/distribution3.html Flash Player 16.0.0.296 (Win and Mac) |
Paul 47 Posts |
| Quote |
Jan 25th 2015 7 years ago |
|
These updates are also available in the Flash 13 extended support and current Flash version SCCM/SCUP catalogs for those using SCCM, WSUS Update Packager or Local Update Packager.
|
chrisl1977 6 Posts |
| Quote |
Jan 26th 2015 7 years ago |
|
And 16.0.0.296 is already a failed piece of history as of Feb... Prepare to patch again... Ain't this fun?
|
chrisl1977 57 Posts |
| Quote |
Feb 3rd 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
