There is some good news for those many internet users who have Flash installed on their computers.
As I explained at the end of last week, vulnerabilities have been found in Adobe Flash that are being actively exploited by online criminals.
At the time of writing that article, Adobe had issued a patch for one of the critical vulnerabilities – but not the other. Adobe estimated that it wouldn’t be possible to issue a patch for the second zero-day vulnerability (known as CVE-2015-0311) until Monday 26 January or later in the week.
Well, with concern rising about the increased number of attacks, Adobe updated its security advisory on Saturday to say the following:
Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 126.96.36.1996 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.
Sure enough, when I checked System Preferences on my Mac OS X computer I was able to see that Adobe Flash had been automagically updated to the fixed version 188.8.131.526.
If you don’t have Adobe configured to automatically update, you can tell it to check to see if an update is available at a click of a button.
However, it’s not such good news if you are using Chrome or Internet Explorer 10/11 as your browser – it sounds like Adobe needs to get a little help from Google and Microsoft to get the version of Flash built into those browsers updated.
And, if you need to manually download a fixed version of Flash, you probably will have to wait Monday or later in the week.
Adobe often gets something of a beating because of the number of vulnerabilities found in its software (although its product security does appear to have improved considerably in recent years), but on this occasion we should all thank them for managing to get a fix out – for at least some users – ahead of schedule.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Adobe patches second Flash zero-day vulnerability ahead of schedule”
Indeed good news. As a bit (or perhaps that is more like several thousand kilobytes …) more info on the idea of manual updates. As for Linux, it seems that either:
a. both cves were fixed earlier (I would assume not but I cannot confirm because – it seems, at least with the rpm version (and I'm too lazy to download the tarball to check any changes in it) – Adobe relied on Red Hat to create the rpm and… the last date on it – despite being for the 184.108.40.2068 (or so is the claim – again, not going through the effort to determine this myself) – is from 2006 and for version 220.127.116.11-4 (the -4 is the release of the specific version of the rpm itself (it is used to 'update' the package for same version, even if it isn't a source code change (doesn't matter what it is, really)))
b. it is what Graham refers to – that they will update it later.
BACKPORTS: What is that ? It means you take fixes from a more recent release (might just be a patch, could be a new version outright) and patch the changes in to the old version (and package). This very thing confuses some less experienced Linux administrators: they think they should compile certain things manually and install (which makes makes the system less sane and less verification/integrity) because 'they are not fixed' (they ARE fixed it is jut they backport the fixes in to the current tree). And… as Adobe notes:
NOTE: Adobe Flash Player 11.2 will be the last version to target Linux as a supported platform. Adobe will continue to provide security backports to Flash Player 11.2 for Linux.
It means shortly: no future updates except security fixes for Linux.
Okay, so the several thousand kilobytes was an exaggeration, I admit. The above was exactly 1658 bytes. In any case, silly me thinks of tarball and then manual building it. Of course, Adobe is hardly going to do that. I can only offer this, then, on if it was updated recently (bored enough to check). It seems yes but this is not at all 100% (timestamps are not useful for verification and if anything they are a false sense of security – they have uses but security is not one of them). stat on the so (shared object):
Modify: 2015-01-17 22:57:17.000000000 -0800
So it seems that yes it was updated recently. However, they don't seem to have a change log so it is anyone's guess.
Just noting that Adobe did indeed patch it for Linux. The version with both fixes is 18.104.22.1680.