Adobe Systems has fixed more than 30 vulnerabilities in its Flash Player most of which could be exploited to remotely install malware on computers.
The bulk of the flaws, 26, were patched in Flash Player on all supported platforms, including Windows, Mac and Linux.
“These flaws could allow hackers to compromise computers and install malware.”
Adobe advises users to update Flash Player version 126.96.36.199 on Windows and Mac or version 188.8.131.525 on Linux. The new version of the Flash Player extended support release, which only receives security patches, is now 184.108.40.2065.
The Flash Player plug-in bundled with Google Chrome will be automatically updated through the browser’s update mechanism and the plug-in bundled with Microsoft Edge and Internet Explorer 11 on Windows 10 and 8.1 will be updated through Windows Update.
Adobe also released version 4.5.2 of Adobe Digital Editions for Windows, Mac, iOS and Android. This new version of the company’s eBook reading app fixes eight vulnerabilities, all of which could be exploited to achieve remote code execution.
So there you go – make sure your Adobe Flash Player is up to date!
If you are one of my dedicated readers here you are surely aware that I have been predicting the end of Adobe’s Flash. It’s long sad security problems have plagued users and applications for a very long time. Now it seems news from Chrome is going to… finally hasten Flash’s overdue end.
Google is now aiming to make HTML5 the primary experience in Chrome by the fourth quarter of this year, except for a very small white list of 10 sites that will continue to run Adobe’s Flash Player.
Under the plan revealed by Google, called “HTML5 by Default” the Chrome browser will continue to ship with Adobe’s Flash Player, but its presence will not be advertised by default.
If a website offers HTML5, that will be the default experience. For those sites that need Flash, a prompt will show up at the top of the page when the user first visits the site.
The prompt will give users the option of running or declining to run Flash on the site. “If the user accepts, Chrome will advertise the presence of Flash Player and refresh the page,” Google said. On subsequent visits to the domain, the user’s initial choice is likely to hold good, though Google is still working on the options for future prompts.
I believe that by accepting the prompt to use the Flash Player Google is protecting itself from liability if things go bad for the end user.
A wise move on Google’s part which will also help shine a light on the flawed application by forcing users to consider other, more secure options for viewing content on websites. My recommendation is that if you receive this prompt – deny the prompt and see if the website works OK for you before accepting the “Flash Player” option.
Once critical for rich media on the Web, Flash has been sidelined by HTML5, which has emerged as a serious competitor, with Google and other players backing it. HTML5 provides a more integrated media experience with faster load times and lower power consumption, claims Google, which earlier this year said it would block the upload of display ads built in Flash from June 30 in AdWords and DoubleClick Digital Marketing, besides taking other measures to reduce the role of the player. The Flash Player’s track record for vulnerabilitieshas also not been good, exposing users to a variety of threats.
Chrome will initially ship with a white list of the top 10 sites using Flash, sorted by aggregate usage of a specific domain. This will include sites like YouTube.com, Facebook.com, Amazon.com and Mail.ru. The white list will continue for one year and the list will be periodically updated to remove sites whose usage no longer requires the special treatment.
Enterprises will also be given a policy option to always run Flash content which would be unwise unless it is absolutely necessary.
Adobe’s Flash is notoriously buggy – never good news for its one billion users across Windows, Mac, Chrome and Linux. Now the company has pushed out an emergency patch after researchers found, what they think is the first talking hack.
The RANSOM_CERBER.A ransomware has been previously buried in ads on bad websites and when clicked at a later time, encrypts all of your data and issues a demand of up to $1,000 to give you your files back.
When your PC is infected is infected with this bit of nasty ransomware you are greeted with a slightly bored computer-generated woman’s voice, announcing:
Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!
Of course you should never pay cyber ransoms, as this indicates that you would likely do so again in the future – and you would be victimized over and over again.
A much better option is to make sure to back up important files regularly.
According to Reuters, Adobe has urged Flash users to update the product in order to protect themselves.
At the end of the week an emergency update was released by Adobe Systems after 23 loopholes (yes 23) in their software were discovered. Adobe issued a security advisory explaining that there have been a “limited number of targeted attacks” as one of the loopholes became actively exploited.
Adobe is urging people to install the latest update as quickly as possible, no matter whether they’re running Windows, Mac or Linux software.
Do You Have Flash?
You can quickly check your PC our with this simple Adobe tool. I recommend taking the time to check your PC out and of course updating Flash (if you have it).
The Details of This Exploit
The critical rating assigned to this particular vulnerability means that if it is exploited by hackers, malicious code could be executed and your computer taken over, potentially without you being aware of it. This could be used to spy on you or to steal your data. All it would take for your computer to be affected is for you to be ambushed by a rogue Flash-powered Web page or ad.
The vulnerability is just the latest in a series of major security flaws that Adobe has been forced to acknowledge. Flash was once the darling of the Internet, used for running games, powering graphics and streaming media inside Web browsers. But its heyday is well and truly over, with many tech companies fed up with its many security vulnerabilities and the toll it takes on smartphone batteries.
The End of Flash?
As I have reported here many times Flash is a dying protocol and this is just the latest example of why. Flash is like Swiss Cheese when it comes to security flaws. Avoid it if you can. This is not always possible because many websites still rely on it – however Flash’s time IS running out as most websites are scrambling to move away from it.
Adobe released a patch for a critical vulnerability in Flash Player faster than it originally anticipated in response to high-profile cyberespionage attacks against governmental targets.
The latest Flash Player updates released Friday address a flaw that’s already exploited by a Russian espionage group known as Pawn Storm, as well as two other critical vulnerabilities reported privately to Adobe.
The CVE-2015-7645 vulnerability is actively exploited by the Pawn Storm group in attacks targeting several foreign affairs ministries from around the globe, security researchers from Trend Micro reported Tuesday.
Adobe confirmed the vulnerability Wednesday and initially scheduled a fix for this week. It then exceeded its own expectations and delivered the patch Friday.
Users of Flash Player on Windows and Mac are strongly advised to upgrade to version 220.127.116.11, and Linux users to version 18.104.22.1680. Users of the extended support release should make sure they’re running the latest 22.214.171.124 version.
In addition to fixing CVE-2015-7645, the new updates also address two type confusion vulnerabilities — CVE-2015-7647 and CVE-2015-7648 — reported by Natalie Silvanovich of Google’s Project Zero team.
If left unpatched, all three flaws can allow attackers to execute arbitrary code on affected computers and take control of them.
Adobe Flash, the world’s most hated software, is finally on the way out. Technically, it’s been on its way out for years, but today it received one of its final blows which will prove to be one of the final nail’s in its digital coffin.
Google officially killed Flash advertising in its browser. As of September 1, any advertising that uses the technology requires the user to click it to play will remain frozen.
A new setting, enabled by default in Chrome automatically optimizes plugins to save battery power and CPU cycles and specifically targeting autoplaying advertising.
The change comes as Google AdWords now makes it possible to automatically convert advertisements created using Flash into HTML5, a friendlier and safer format for playback.
Browser support for modern formats, such as HTML5 video has finally become widespread enough to make such a move possible.
The majority of users are already able to trash Flash although time of final death cannot truly be called until Netflix and other streaming providers drop it entirely, — but that is a sure thing as well as should not take very long at this point.
The much hated software has been plagued by problems over the years ranging from poor performance to massive recurring security holes.
You will be automatically updated to Chrome 42 today, which changes the default Flash setting to “detect and run important plugin content.”
The Adobe Flash problem is far from over. It is now being reported that hackers are working to break into federal agencies using the recently patched Flash vulnerability.
Adobe released an emergency update to fix a critical flaw in its Flash Player browser plugin last week. The vulnerability is actively exploited in the wild via limited, targeted attacks. Internet Explorer for Windows 7, Firefox and Windows XP users are vulnerable.
The FBI issued a warning in a memo.
“The FBI has received information regarding a likely ongoing phishing campaign that started 08 July 2015 and was observed targeting U.S. government agencies. This campaign is similar to a June campaign launched by similar malicious actors. In both campaigns, the e-mails contain a link that exploits Adobe Flash vulnerability CVE-2015-5119.”
This Adobe flaw, and two previous ones, were made public after the Hacking Team was hacked themselves. The Italian company made a name for itself helping governments and intelligence agencies spy on people. But now the tables have been turned as the team’s private documents have been exposed online. The recent Adobe Flash flaw was part of that hack.
As part of the attack, hackers sent a tweet from the Hacking Team’s twitter account that offered a link to 400 GB of the company’s source code, e-mails and internal files. Adobe so far has been the biggest victim.
Adobe said successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe said an exploit targeting this vulnerability has been published publicly.
There is little doubt that cybercriminals have already got their evil little hands on this latest flaw and will integrate it in their exploit kits with much haste. This is one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team themselves.
Microsoft has released a rare emergency patch, outside of their normal monthly “Patch Tuesday” schedule for a critical flaw, affecting all supported versions of Windows.
The software giant said in an advisory Monday that the vulnerability, if exploited, could “allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.”
Users running Windows Vista, Windows 7, 8, 8.1 and Windows RT are all affected, including those running Windows Server 2008 and later. A Microsoft spokesperson confirmed in an emailed statement that Windows 10 Insider Preview is also affected.
The “critical”-rated software update lands almost a week after its scheduled Patch Tuesday where it typically issues security fixes. Microsoft said it believed the flaw was public but did not have any evidence to suggest it was being actively exploited.
The patch is available over Windows Update.
Mozilla has blacklisted all vulnerable versions of Adobe Flash in its Firefox browser, following the discovery of numerous critical security flaws in the platform.
Today Mark Schmidt, head of Firefox Support, took to Twitter to announce the change.
Theis news comes just a day after Facebook’s chief security officer Alex Stamos called for moves to force the extinction of Flash, as the plugin is widely being reportedly to being used to spread malware on users’ systems via security exploits (in Flash).
Three major Flash vulnerabilities were recently discovered when 400GB of security firm Hacking Team’s internal documents and product source code were leaked online. Adobe is aware of the issues and has said that it will release a fix this week.
Mozilla has noted that Flash will remain blocked until Adobe releases a version that isn’t being actively exploited by publicly known vulnerabilities.
With a major browser blocking the plugin by default and working on other alternatives, it may finally, be too late for Adobe to rescue its aging multimedia platform.