Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: "Stealth" Update for Flash from Adobe - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Stealth" Update for Flash from Adobe

[Update] Adobe now updated it's advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobe's website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1] http://www.adobe.com/software/flash/about/

[2] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3] http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich March 2019

Johannes

3414 Posts
ISC Handler
Adobe has updated its Security Advisory for Adobe Flash Player APSA15-01. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.
Anonymous
Adobe Flash Distribution3 page still has 16.0.0.287 as the available download. No update as of yet.
Jared

1 Posts
There's an update on Adobe's PSIRT blog http://blogs.adobe.com/psirt/?p=1160

"...
UPDATE (January 24): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player, please refer to this post. We will continue to provide updates on this issue via the Adobe PSIRT blog."
Mark

2 Posts
Late, Saturday afternoon, get.adobe.com/flashplayer/ is still installing 16.0.0.287, I've tried twice.

And somebody noticed that the new version showed 16,0,0,296 (commas instead of dots) when it installed for them. Might want to check that it wasn't pushed out too quickly.

Corporate GPO push will be waiting until sometime next week for the redistribution exe and msi installers to be upgraded.
Mark
57 Posts
APSA15-01 updated today with this:
"UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post."

And:
"Revisions
January 24, 2015: Updated to include Flash Player version delivered via auto-update.
January 24, 2015: Updated to reflect reports that Windows 8.1 is also affected by CVE-2015-0311."

From: https://helpx.adobe.com/security/products/flash-player/apsa15-01.html
FTWMike

24 Posts
The Sophos story says it needs to be autoupdate, for the stand alone download installer you'll have to wait. https://nakedsecurity.sophos.com/2015/01/24/adobe-gets-second-flash-zero-day-patch-ready-2-days-early/
DFIRRules

1 Posts
The Adobe Flash Player Distribution page now has EXE, MSI, and DMG downloads for the 296 update, with the added bonus of no crap-ware add-ons.

http://www.adobe.com/products/flashplayer/distribution3.html

Flash Player 16.0.0.296 (Win and Mac)
Paul

44 Posts
These updates are also available in the Flash 13 extended support and current Flash version SCCM/SCUP catalogs for those using SCCM, WSUS Update Packager or Local Update Packager.
chrisl1977

6 Posts
And 16.0.0.296 is already a failed piece of history as of Feb... Prepare to patch again... Ain't this fun?
chrisl1977
57 Posts

Sign Up for Free or Log In to start participating in the conversation!