Good news from Adobe about CVE-2015-0311, the unpatched zero-day in Flash.
Adobe’s original advisory, APSA15-01, issued on 2015-01-22, warned of a Flash vulnerability being actively targeted in the wild.
The advisory noted that a patch was being worked on post-haste, but would probably only ship some time in the week starting 2015-01-26.
With active attacks going on, but no official patch, we offered a number of mitigations that you could try while you were waiting.
→ Our Flash security tips will protect you next time, so they’re worth looking at anyway.
The good news is that Adobe got its patch ready early, although you can only get it via auto-update at the moment.
According to a note added on 2015-01-24 to the APSA15-01 advisory:
Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311.
But if you prefer to download Adobe’s corporate-flavour standalone installers, you’ll have to wait a bit longer:
Adobe expects to have an update available for manual download during the week of January 26.
The standalone installers do just what they say: instead of a small stub installer that goes online every time you run it to fetch the rest of the Flash software, the standalones are completely self-contained. (Please read Adobe’s FAQ before using the standalones.)
This means you can install the latest Flash Player even on a computer that is disconnected from the internet.
Better yet, the standalone installers don’t include any foistware – by that, we mean the various third-party software products that Adobe leans on you to install along with Flash.
Lastly, the Flash components from Adobe that are built into some third-party browsers aren’t quite ready yet:
We are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
The bottom line
If you have your own installation of Flash, you can update it right now (if it hasn’t updated itself already) and get patched against the recently-announced CVE-2015-0311 zero-day.
If you have updates set to “Notify” or “Never check”, you can force an update using the [Check Now] feature, as you see here, for example, in the OS X System Preferences:
Well done to Adobe for responding quickly!
Note. Although the crooks can, and do, change their malware payloads at any time, the attacks currently [2015-01-26T07:00Z] associated with these zero-day threats seem to be a malware family called Troj/Bedep by Sophos products, delivered by an exploit kit component from the family Troj/SwfExp. The Angler exploit kit that is reported to have been used to deliver the Flash payloads is variously detected using the family names Mal/ExpJS and Troj/JSRedir.
TenguTech
The “Notify me to install updates” option don’t seem to work, or has a major delay in notifying users. Not that I would let Flash auto install anything, even its own updates.
Considering the auto install and notify me options both probably use the same checking mechanism, there seems to be a problem with notifying users they need to update.
The best option really is just leave Flash disabled unless you need to use it.
Paul Ducklin
I’d mostly agree with that. Indeed, the tips I refer to above suggest removing Flash altogether if you can, or always using “Ask to activate” if completely removing it is a step too far.
Even though I have “Notify updates” turned on (the screen shot in the article was from my own Mac), I found out about the update by clicking [Check Now] by hand.
I assume that Adobe spreads the load a bit by leaving a random delay before notifying each user, thus avoiding everyone hitting the update servers at the same time.
I’m not sure I’d call it “a major delay” just yet…but, then again, I don’t know what the longest wait can be. From experience on Patch Tuesdays, I *think* it can be a few days, and in this case, perhaps that is too long. Might be nice if Adobe gave an idea in its advisories or bulletins of the maximum update window you should expect…
If you’re worried, click Check Now now :-)
TenguTech
Yes, maybe I should create an Automator action to click the ‘Check now’ button on a daily basis :)
Neal
If you are in Windows, go to Task Scheduler, and then manually run the Adobe Flash Updater. That will update Flash
LindaB
My Task Scheduler does not have an entry for Adobe Flash – not any other Adobe products!
TED
Does Sophos UTM have definitions to catch this yet?
Paul Ducklin
You can find info on the various threat names that Sophos products use for this stuff here:
https://nakedsecurity.sophos.com/2015/01/23/adobe-issues-emergency-fix-for-flash-zero-day/
HtH.
Paul Ducklin
[Replying to self.] For clarity, I have added the info from the above page at the bottom of this one, listing the names you would be likely to find in your logs if were to be attacked. These names cover not just the malware being reported at the end of it all, but the Flash that delivers the malware, and the JavaScript that delivers the Flash.
easae
I have just purchased a Chromebook and wish to install Adobe Flash
(as it’s required to start my onlline class this week!) – so is it safe to
to the original installation now? If not, when?
Paul Ducklin
I have never used a Chromebook (some things in life are best experienced vicariously :-), but IIRC, Chromebooks come with the Chrome browser, and the Chrome browser comes with its own, built-in version of Flash.
So you neither install nor update Flash yourself. Google does that for you. As mentioned in the article, you have to wait, with Adobe saying, “We are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.”
Having said that, Google’s usually pretty quick at patching Chrome, so you probably won’t have to wait long, if indeed the update hasn’t happened already.
MikeP_UK
I don’t let any software automatically ‘update’ itself – too many instances of foistware. So the Adobe setting for it to inform me that there is an update has never once told me of any updates, I’m convinced it’s broken and has been for years on several computers!
So I ran a scan using Secunia PSI and that found the two instances of Flash (one for FF and one for IE) were in fact out of date and offered the Adobe updates. They were downloaded direct from Adobe and and installed using the features of PSI. A rescan shows they are now up-to-date.
But, as I am a wary sort, I’ll be rechecking for the next several days to see if there any further ‘updates’ or are they ‘patches’.
Steve
Adobe’s a bit weird on the updates- security and critical ones (like this) are treated differently than regular updates. Regular updates can take up to 30-45 days to be installed if a lower interval isn’t specified in the mms.cfg file. Security ones seem to be applied as soon as they are available.
Also, if you are on a domain and/or using an account with limited privileges, you’ll get the message that an update is available, but you won’t be able to apply it. The update will still get done, because it’s setup to run using admin privileges.
ejhonda
As of 11:11 EST, Adobe hadn’t updated the Flash Player About page to reflect that 16.0.0.296 is the latest version. Their page still reports that version 16.0.0.287 is the latest. Guess they caught their web staff off guard, too.
Josh
Does anyone know how often malicious “flash player update” pop-ups are actually exploiting flash vulnerabilities?
In addition to detecting and out of date version and trying to take advantage of it they could simply be using the “flash player update” as a way to get the user to install any variety of malicious software. My colleagues and I are having a debate over which is more secure: No Flash at all. Vs. Current version of Flash. An argument is being made that if we don’t install Flash for our users they are more likely to be presented with fake ‘flash player update’ pop-ups.
Paul Ducklin
Interesting thoughts.
In the workplace, I do accept that forcing everyone to have no Flash at all – with or without fake popups deliberately targeting the lack of Flash – might well lead to people deciding, “Well, *I* need Flash so I am going to do something about that.”
Could “Ask to activate” be a middle ground? Users who just approve everything anyway will be no worse off than having unrestricted Flash; users who want to pace themselves will at least have a chance of doing the right thing…
Jessie
One would think, after having to “post-haste” release emergency zero-day patches after EVERY release (I swear I see a new zero-day patch every week…), Adobe would do something more, like, oh, I don’t know, test with a little more vigor?!
Paul Ducklin
To be fair, all patches come after the previous ones :-) Look on the bright side: Adobe didn’t make you wait until next Patch Tuesday. (And I swear you haven’t seen a new Flash 0-day patch every *week*, though its hard to say whether that would be better – faster response – or worse – worse code quality – without more detailed analysis.)