"Stealth" Update for Flash from Adobe

Published: 2015-01-24
Last Updated: 2015-01-25 02:58:36 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

[Update] Adobe now updated it's advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobe's website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1] http://www.adobe.com/software/flash/about/

[2] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3] http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
9 comment(s)

Comments

Adobe has updated its Security Advisory for Adobe Flash Player APSA15-01. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.
Adobe Flash Distribution3 page still has 16.0.0.287 as the available download. No update as of yet.
There's an update on Adobe's PSIRT blog http://blogs.adobe.com/psirt/?p=1160

"...
UPDATE (January 24): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player, please refer to this post. We will continue to provide updates on this issue via the Adobe PSIRT blog."
Late, Saturday afternoon, get.adobe.com/flashplayer/ is still installing 16.0.0.287, I've tried twice.

And somebody noticed that the new version showed 16,0,0,296 (commas instead of dots) when it installed for them. Might want to check that it wasn't pushed out too quickly.

Corporate GPO push will be waiting until sometime next week for the redistribution exe and msi installers to be upgraded.
APSA15-01 updated today with this:
"UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post."

And:
"Revisions
January 24, 2015: Updated to include Flash Player version delivered via auto-update.
January 24, 2015: Updated to reflect reports that Windows 8.1 is also affected by CVE-2015-0311."

From: https://helpx.adobe.com/security/products/flash-player/apsa15-01.html
The Sophos story says it needs to be autoupdate, for the stand alone download installer you'll have to wait. https://nakedsecurity.sophos.com/2015/01/24/adobe-gets-second-flash-zero-day-patch-ready-2-days-early/
The Adobe Flash Player Distribution page now has EXE, MSI, and DMG downloads for the 296 update, with the added bonus of no crap-ware add-ons.

http://www.adobe.com/products/flashplayer/distribution3.html

Flash Player 16.0.0.296 (Win and Mac)
These updates are also available in the Flash 13 extended support and current Flash version SCCM/SCUP catalogs for those using SCCM, WSUS Update Packager or Local Update Packager.
And 16.0.0.296 is already a failed piece of history as of Feb... Prepare to patch again... Ain't this fun?

Diary Archives