Threat Level: yellow Handler on Duty: Russ McRee

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Monday, January 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4327

"Stealth" Update for Flash from Adobe

Published: 2015-01-24
Last Updated: 2015-01-25 02:58:36 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

[Update] Adobe now updated it's advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobe's website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1] http://www.adobe.com/software/flash/about/

[2] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3] http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)

Flash 0-Day: Deciphering CVEs and Understanding Patches

Published: 2015-01-23
Last Updated: 2015-01-25 02:30:43 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

(updated with Jan 24th update)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version  Currently Used in Attacks Advisory
CVE-2014-8440 15.0.0.223 (Nov. 2014) yes APSB14-24
several 16.0.0.257 (mid Jan 2015) yes. APSB15-01
CVE-2015-0310 16.0.0.287 (late Jan 2015) yes APSB15-02
CVE-2015-0311 16.0.0.296 (Jan 24th 2015) yes APSA15-01

So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: flash
9 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Flash 0-Day: Deciphering CVEs and Understanding Patches
1 day ago by Dr. J. (9 comments)

Infocon change to yellow for Adobe Flash issues
2 days ago by Adrien de Beaupre (0 comments)

How Vulnerabilities Happen: Input Validation Problems
2 days ago by Dr. J. (0 comments)

OOB Adobe patch!
3 days ago by Adrien de Beaupre (4 comments)

Flash 0-Day Exploit Used by Angler Exploit Kit
4 days ago by Dr. J. (9 comments)

Oracle Critical Patch Update for Q1 2015 (Includes Java Updates)
4 days ago by Dr. J. (4 comments)

Finding Privilege Escalation Flaws in Linux
4 days ago by Dr. J. (5 comments)

Traffic Patterns For CryptoWall 3.0
6 days ago by Dr. J. (4 comments)

View All Diaries →

Latest Discussions

your EMET 5.1 experience?
created 1 day ago by Mallory Bobalice (0 replies)

Help to choose Information Security diploma topic
created 1 week ago by Anonymous (0 replies)

calculation on SOC human bodies required
created 1 week ago by Anonymous (0 replies)

Can not view Diary Discussions
created 1 week ago by Anonymous (2 replies)

Questions regarding the new US-CERT reporting guidelines
created 2 weeks ago by Ev (1 reply)

View All Forums →

Latest News

View All News →