Just like Flash exploits, it seems that Flash exploit stories come along in bunches, too, like those pesky buses you wait for.
No sooner had we written about Facebook’s new CSO’s weekend “Death to Flash” tweet…
…than an eagle-eyed Naked Security reader pointed us at a tweet from someone going by @MarkSchimdty, who seems to be something of a anti-Flash hacktivist, considering the photo accompanying his tweet:
BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now.
Not in my Flash in my Firefox, as it happens – with Flash set to “Always ask,” Firefox asked and then used Flash if I agreed.
But the facts behind the histrionics seemed to sort themselves out when I tried Abobe’s own Flash Tester (yes, I used click-to-play):
That’s right, there’s a new new version of Flash, superseding the one released only last week that superseded the patch from the week before that.
The latest update presumably fixes the vulnerabilities dubbed CVE-2105-5122 and CVE-2015-5123, announced earlier this week in Adobe’s APSA-15-04 security advisory:
These two security holes are yet more fallout from the data exfiltrated and dumped publicly when Italian security company Hacking Team was breached recently.
Interestingly, when I went looking I must have been a touch ahead of Adobe, because the above mentioned 18.0.0.209 Flash version wasn’t listed amongst the recent security communications:
And .209 wasn’t offered as an update, at least in my part of the world, when I manually asked Flash to check [2015-07-14T13:37Z](*):
But it was there when I went to Adobe’s Flash Player Distribution page, where holders of an Adobe Flash Player Distribution License Agreement can download foistware-free installers of the latest Flash product to deploy across their own networks:
Er, that’s it…there’s a critical Flash update.
If you have Flash, try to get it as soon as you can.
You may need to go digging on your own account, instead of waiting for Flash’s own updater to get round to you – Adobe understandably doesn’t push out automatic updates to every user in the world at the same time.
(If you have a browser with a built-in Flash version, you may have to wait, but at least you know to expect the new 18.0.0.209-flavoured release.)
Let’s hope the eager-beavers who have been digging through the Hacking Team debris have now found all the Flash hacks that were awaiting discovery!
(*) Yes. It really WAS 1337 UTC when I checked. I didn’t make that up :-)
Damon
Yep I reckon it’s time, I’ve set Shockwave Flash in Firefox plugins to “Ask to activate”. Last time I found I couldn’t do without it, but the number of websites implementing HTML5 out there is exploding at the moment so we’ll see!
Paul Ducklin
Problem I’ve had with that is it doesn’t tell you which sites will work without Flash, but merely documents those that can :-)
If Flash is there (whether by asking or not) then many sites use it anyway…there isn’t a “use HTML5 instead” option…
Damon
Exactly. Just paid for something on PayPal which…requires Adobe Flash! Unbelievable! Perhaps if I didn’t activate Flash it would have reverted to an AJAX or HTML5 front-end – or perhaps not?
Michael
It seems like they did, I just read an article the other day that said they will stop support flash.
Anonymous
I patched my Windows machines, but Linux still seems to be stuck at 11.2.202.481 at the moment, which Firefox doesn’t like. I have it set click-to-play, though, so not much different than usual.
Foxpup
“There’s a critical Flash update.” Not for Linux, there ain’t. Both the updater and Adobe’s site say 11.2.202.481 is the latest version available – and Firefox says it’s no good.
cathy
I deleted firefox and use chrome. Still get a couple of stalls at times, but not the constant crashing I did before. I play a couple of fb games and this problem was making me nuts.
Laurence Marks
.209 is available through the regular Check-for-Updates path as of 0946 EDT (GMT-4).
Gail Taylor
Operating on Windows 10 which has Flash Player embedded
,McAfee advised using IE rather than Microsoft Edge.BUT flash player will work in Edge BUT not in facebook!!!
Anonymous
As usual, useless !!!!!