Adobe patches second Flash zero-day vulnerability ahead of schedule

FlashThere is some good news for those many internet users who have Flash installed on their computers.

As I explained at the end of last week, vulnerabilities have been found in Adobe Flash that are being actively exploited by online criminals.

At the time of writing that article, Adobe had issued a patch for one of the critical vulnerabilities – but not the other. Adobe estimated that it wouldn’t be possible to issue a patch for the second zero-day vulnerability (known as CVE-2015-0311) until Monday 26 January or later in the week.

Well, with concern rising about the increased number of attacks, Adobe updated its security advisory on Saturday to say the following:

Sign up to our free newsletter.
Security news, advice, and tips.

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

Sure enough, when I checked System Preferences on my Mac OS X computer I was able to see that Adobe Flash had been automagically updated to the fixed version 16.0.0.296.

Adobe settings

If you don’t have Adobe configured to automatically update, you can tell it to check to see if an update is available at a click of a button.

However, it’s not such good news if you are using Chrome or Internet Explorer 10/11 as your browser – it sounds like Adobe needs to get a little help from Google and Microsoft to get the version of Flash built into those browsers updated.

And, if you need to manually download a fixed version of Flash, you probably will have to wait Monday or later in the week.

Adobe often gets something of a beating because of the number of vulnerabilities found in its software (although its product security does appear to have improved considerably in recent years), but on this occasion we should all thank them for managing to get a fix out – for at least some users – ahead of schedule.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

3 comments on “Adobe patches second Flash zero-day vulnerability ahead of schedule”

  1. Coyote

    Indeed good news. As a bit (or perhaps that is more like several thousand kilobytes …) more info on the idea of manual updates. As for Linux, it seems that either:

    a. both cves were fixed earlier (I would assume not but I cannot confirm because – it seems, at least with the rpm version (and I'm too lazy to download the tarball to check any changes in it) – Adobe relied on Red Hat to create the rpm and… the last date on it – despite being for the 11.2.202.438 (or so is the claim – again, not going through the effort to determine this myself) – is from 2006 and for version 9.0.21.55-4 (the -4 is the release of the specific version of the rpm itself (it is used to 'update' the package for same version, even if it isn't a source code change (doesn't matter what it is, really)))
    b. it is what Graham refers to – that they will update it later.

    More importantly:

    BACKPORTS: What is that ? It means you take fixes from a more recent release (might just be a patch, could be a new version outright) and patch the changes in to the old version (and package). This very thing confuses some less experienced Linux administrators: they think they should compile certain things manually and install (which makes makes the system less sane and less verification/integrity) because 'they are not fixed' (they ARE fixed it is jut they backport the fixes in to the current tree). And… as Adobe notes:

    NOTE: Adobe Flash Player 11.2 will be the last version to target Linux as a supported platform. Adobe will continue to provide security backports to Flash Player 11.2 for Linux.

    It means shortly: no future updates except security fixes for Linux.

  2. Coyote

    Okay, so the several thousand kilobytes was an exaggeration, I admit. The above was exactly 1658 bytes. In any case, silly me thinks of tarball and then manual building it. Of course, Adobe is hardly going to do that. I can only offer this, then, on if it was updated recently (bored enough to check). It seems yes but this is not at all 100% (timestamps are not useful for verification and if anything they are a false sense of security – they have uses but security is not one of them). stat on the so (shared object):

    Modify: 2015-01-17 22:57:17.000000000 -0800

    So it seems that yes it was updated recently. However, they don't seem to have a change log so it is anyone's guess.

  3. Coyote

    Just noting that Adobe did indeed patch it for Linux. The version with both fixes is 11.2.202.440.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.