Adobe Flash Zero Day Found in the Wild

[Corrine]

New Adobe Flash Zero-Day found in the Wild | Malwarebytes Unpacked

Security researcher Kafeine has discovered a Zero-Day in Adobe Flash Player distributed through the Angler Exploit Kit.

 

The information by Kafeine is at Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK | Malware don't need Coffee.

[Corrine]

Adobe has released security updates for Adobe Flash Player 16.0.0.257 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.425 and earlier versions for Linux. This update address the above-referenced Zero-Day. See follow-up post!

 

It is strongly advised that the update be applied as soon as possible.

• Non-IE Plugin (Opera, Firefox, Etc.): http://download.macr...r_16_plugin.exe
  
• Flash Player For Internet Explorer, Windows 7 and earlier: http://download.macr...16_active_x.exe
   
  Internet Explorer, Windows 8 and above: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from Microsoft Security Advisory: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10: July 9, 2013.
  
• Flash Player Uninstaller: http://download.macr...lash_player.exe
  

[Corrine]

Correction: From Threatpost, Adobe Patches One Zero Day in Flash, Still Investigating Separate Vulnerability:

 

"The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks."

The Threatpost article further indicated that there is no indication from Adobe officials that an update is in the works for the Angler zero-day vulnerability.

 

[Temmu]

huh. 2 threats, one being addressed. sigh.

 

one wishes the web would exist w/o flash.

[Corrine]

Adobe gets second Flash zero-day patch ready 2 days early! | Naked Security

 

If you have Flash Player set to auto-update, you'll receive the update automatically. Otherwise, the stand-alone installer for version 16.0.0.296 will be available for manual download during the week of January 26.

 

Do the following to set Flash Player to auto-update:

 

Windows: click Start > Settings > Control Panel > Flash Player

Macintosh: System Preferences (under Other) click Flash Player

Linux Gnome: System > Preferences > Adobe Flash Player

Linux KDE: System Settings > Adobe Flash Player

 

Adobe Security Bulletin

[Corrine]

The direct download links are now available:

 

Non-IE Plugin (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_16_plugin.exe

Flash Player For Internet Explorer, Windows 7 and earlier: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_16_active_x.exe

 

[ebrke]

Interesting--after running the download from the link Corrine supplied I find that Flash on Win7 reports a higher version than Adobe is saying is current on their check-Flash-version webpage. We're nothing if not cutting edge here at SNLF.

[Corrine]

The About page has finally been updated: http://www.adobe.com/software/flash/about/

[Temmu]

true, ebrke.

thanks again, corrine!