Security Advisory for Adobe Flash Player

[wiskerke]

This means: disable the Flash Player in your browsers. All browsers are affected. All platforms are affected. There may be an update of the Flash Player tomorrow.

Yes, this means no Manage Images 2 for the moment.

 

Alamy, maybe reinstate access to Manage Images 1.0 for everyone for a couple of days?

 

 

Adobe Security Bulletin

Security Advisory for Adobe Flash Player

Release date: July 7, 2015
Vulnerability identifier: APSA15-03
CVE number: CVE-2015-5119
Platform: Windows, Macintosh and Linux

Summary

A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.

Affected software versions

 

Adobe Flash Player 18.0.0.194 and earlier versions for Windows and Macintosh

• Adobe Flash Player Extended Support Release version 13.0.0.296 and earlier 13.x versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.468 and earlier 11.x versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.   

Severity ratings

Adobe categorizes this as a critical vulnerability.

Acknowledgments

Adobe would like to thank Google Project Zero and Morgan Marquis-Boire for reporting CVE-2015-5119 and for working with Adobe to help protect our customers.

 

 

 

Over at Symantec read this:

 

Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash Player which could allow attackers to remotely execute code on a targeted computer. Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.

 

 

 

- Sorry I was so late with this. I had my Flash Player disabled as soon as the word was out. I only realized the impact here when I clicked on edit image just now.

 

wim

[spacecadet]

Good job I used FTP this morning then but I've been keywording since.

Presumably coincidentally FF suddenly started objecting to Flash v17 as out-of-date last week.

I'm inclined to carry on unless I get a suspicious crash.

[wiskerke]

Normally I'm not alarmist about vulnerabilities or malware: that usually causes far more damage than the attacks itself.

However it has been suggested that simple ads on a page can be used to exploit this.

And that the payload of infection may be not just malware, but ransomware.

 

I will give some links about that when I find them in English. For the moment I have them in Dutch only.

 

wim

 

edit:

here is the original report that it has been found in the open: http://malware.dontneedcoffee.com/

[spacecadet]

I've changed to click-to-activate pro tem.

[wiskerke]

I've changed to click-to-activate pro tem.

 

Probably a good enough solution.

SecurityWeek says there is an update already, but Adobe doesn't seem to have it lined up yet.

Or the server is down already ;-)

(OK let's not add to that, I have removed the link)

 

wim

[wiskerke]

The Firefox update is available already:

https://get.adobe.com/flashplayer/

 

No luck so far for the Internet Explorer one. It should appear in the same place: it does a quick system scan and then selects the offer.

Don't forget to un-click the optional offer to download some sort of MacAfee product. Unless you would just want that of course.

 

wim

[Kathy deWitt]

Hi Wiskerke:

 

Thanks for reporting this.  I have uninstalled from browsers.  But what do you do about external hard drives?  Will this just happen when updated or do you have to uninstall on

each hard drive too?  

 

Or maybe it doesn't even apply??

 

Kathy

[wiskerke]

Hi Wiskerke:

 

Thanks for reporting this.  I have uninstalled from browsers.  But what do you do about external hard drives?  Will this just happen when updated or do you have to uninstall on

each hard drive too?  

 

Or maybe it doesn't even apply??

 

Kathy

 

It doesn't apply there. Unless of course you have an image or a backup of your system there. In that case: update the mirror or backup, after updating the Flash Player, as soon as you feel everything works as it should.

The updates were in place at some point, but the server for Internet Explorer seems to be down again.

 

Microsoft will probably be very busy with their own updates in the coming days and weeks, because it is only a tiny tip of the iceberg we are seeing here.

A large part of what our governments*) use to snoop on the bad guys can now be used by those baddies against all of us.

 

*) - and some really bad governments used to spy on decent people.

 

wim

[wiskerke]

Here is a less crowded page with all updates in all flavors (Mac PC Linux)

https://www.adobe.com/products/flashplayer/distribution3.html

 

wim

[Kathy deWitt]

Working fine with new Flash Players on Mac/Chrome/Safari.  

 

Thanks a lot Wim!

[losdemas]

Thanks, wim.

[Ed Rooney]

Déjà view all over again? 

 

I had a previous problem with the Adobe Flash Player, last year I thought, but now I see that it was back in 2013.

 

If that's not strange enough, I looked for my Flash Player in my apps, to check the version . . . and I find that I have no version, no Adobe Flash Player at all. 

 

So, I'm wondering . . . is this something one can function just fine without or what?  

 

"They" say I can't watch YouTube without it, but YouTube is running just fine. (Some ads do run with pauses, on Hulu or elsewhere.) So what passes for logic with me says AFP is not needed or I have it but it is not showing itself, Maybe it's shy. 

 

Edo

[IanGibson]

Déjà view all over again? 

 

I had a previous problem with the Adobe Flash Player, last year I thought, but now I see that it was back in 2013.

 

If that's not strange enough, I looked for my Flash Player in my apps, to check the version . . . and I find that I have no version, no Adobe Flash Player at all. 

 

So, I'm wondering . . . is this something one can function just fine without or what?  

 

"They" say I can't watch YouTube without it, but YouTube is running just fine. (Some ads do run with pauses, on Hulu or elsewhere.) So what passes for logic with me says AFP is not needed or I have it but it is not showing itself, Maybe it's shy. 

 

Edo

I don't have Flash installed on any of my Mac computers, and have no problems at all. I use the Google Chrome browser, which has Googles own Flash Player, and is updated regularly without me having to lift a finger.

[wiskerke]

 

Déjà view all over again? 

 

I had a previous problem with the Adobe Flash Player, last year I thought, but now I see that it was back in 2013.

 

If that's not strange enough, I looked for my Flash Player in my apps, to check the version . . . and I find that I have no version, no Adobe Flash Player at all. 

 

So, I'm wondering . . . is this something one can function just fine without or what?  

 

"They" say I can't watch YouTube without it, but YouTube is running just fine. (Some ads do run with pauses, on Hulu or elsewhere.) So what passes for logic with me says AFP is not needed or I have it but it is not showing itself, Maybe it's shy. 

 

Edo

 

 

If you can see the traffic on the roundabout here, you have some version of Flash Player.

This page will tell you what version and whether it's the most recent.

 

wim

[Ed Rooney]

I use Chrome and Safari. I have Firefox, too, but they want to do things, so I'm avoiding them. I'm on the Adobe Flash Player page, and it says "You have version 18,0,0,203 installed." Ian, where will it all end??? I'm going back to worrying about money and my health. Thanks.

[Ed Rooney]

Okay, wim -- all is well. The only thing is that roundabout reminds me of an accident I had in Oxfordshire.

[Lightboxx]

alamy should get rid of flash.

it is a security nightmare.

 

alamy should use HTML5 instead.