My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

"Stealth" Update for Flash from Adobe

Published: 2015-01-24. Last Updated: 2015-01-25 02:58:36 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

[Update] Adobe now updated it's advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobe's website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1] http://www.adobe.com/software/flash/about/

[2] http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3] http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
9 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Adobe has updated its Security Advisory for Adobe Flash Player APSA15-01. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

Anonymous

Jan 24th 2015
9 years ago

Adobe Flash Distribution3 page still has 16.0.0.287 as the available download. No update as of yet.

Anonymous

Jan 24th 2015
9 years ago

There's an update on Adobe's PSIRT blog http://blogs.adobe.com/psirt/?p=1160

"...
UPDATE (January 24): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player, please refer to this post. We will continue to provide updates on this issue via the Adobe PSIRT blog."

Anonymous

Jan 25th 2015
9 years ago

Late, Saturday afternoon, get.adobe.com/flashplayer/ is still installing 16.0.0.287, I've tried twice.

And somebody noticed that the new version showed 16,0,0,296 (commas instead of dots) when it installed for them. Might want to check that it wasn't pushed out too quickly.

Corporate GPO push will be waiting until sometime next week for the redistribution exe and msi installers to be upgraded.

Anonymous

Jan 25th 2015
9 years ago

APSA15-01 updated today with this:
"UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post."

And:
"Revisions
January 24, 2015: Updated to include Flash Player version delivered via auto-update.
January 24, 2015: Updated to reflect reports that Windows 8.1 is also affected by CVE-2015-0311."

From: https://helpx.adobe.com/security/products/flash-player/apsa15-01.html

Anonymous

Jan 25th 2015
9 years ago

The Sophos story says it needs to be autoupdate, for the stand alone download installer you'll have to wait. https://nakedsecurity.sophos.com/2015/01/24/adobe-gets-second-flash-zero-day-patch-ready-2-days-early/

Anonymous

Jan 25th 2015
9 years ago

The Adobe Flash Player Distribution page now has EXE, MSI, and DMG downloads for the 296 update, with the added bonus of no crap-ware add-ons.

http://www.adobe.com/products/flashplayer/distribution3.html

Flash Player 16.0.0.296 (Win and Mac)

Anonymous

Jan 25th 2015
9 years ago

These updates are also available in the Flash 13 extended support and current Flash version SCCM/SCUP catalogs for those using SCCM, WSUS Update Packager or Local Update Packager.

Anonymous

Jan 26th 2015
9 years ago

And 16.0.0.296 is already a failed piece of history as of Feb... Prepare to patch again... Ain't this fun?

Anonymous

Feb 3rd 2015
9 years ago

Login here to join the discussion.


Top of page
Diary Archives