Flash 0-day targetting 16.0.0.257

[TheRyuu]

Copy pasta of my post in the Flash thread in the Windows forum.

There's a 0-day which targets an up to date Flash (16.0.0.257)[1]. I don't know if it only targets specific versions of Flash or if they're all vulnerable (assume they all are).

The only mitigation there is as of right now is to disable Flash (e.g. click-to-play).

[1] http://arstechnica.com/security/2015/01/attack-for-flash-0day-goes-live-in-popular-exploit-kit/

 

[John Connor]

Just when the hell will HTML 5 take a hold? Why doesn't YouTube just ditch Flash and force the HTML 5 revolution?

NoScript and Sandboxie FTW!

 

[balloonshark]

I got tired of playing the update game a long time ago. I got rid of crap like java, itunes, real player, etc. Unfortunately I need flash so I also rely on noscript, sandboxie, limited user account and a few other goodies to mitigate the constant flow of vulnerabilities. It's a setup that works for me and now I update when I feel like it instead of worrying about vulnerabilities and exploits.

 

[MustISO]

Haven't had flash in years and in the past year it's been no issue with sites like YouTube. Seems like now I can watch pretty much anything. There's still some videos I can't see but that's perfectly fine given the risk of having flash.

 

[seepy83]

Just FYI - there was a new patch for one of the recent Flash vulnerabilities (CVE-2015-0310) released yesterday (http://helpx.adobe.com/security/products/flash-player/apsb15-02.html).

However, there is still another unpatched vulnerability (CVE-2015-0311) that is expected to be released sometime next week (http://helpx.adobe.com/security/products/flash-player/apsa15-01.html)

isc.sans.edu has raised the Infocon Threat Level to Yellow as a result of this unpatched Flash vulnerability.

 

[TheRyuu]

Just when the hell will HTML 5 take a hold? Why doesn't YouTube just ditch Flash and force the HTML 5 revolution?

NoScript and Sandboxie FTW!

Youtube already did do that. I also doubt HTML5 will be the end of the exploits. It may lead to a reduction with the possibility of a reduced attack surface but bugs can exist in the HTML5 code as well.

Came here to post this, beat me to it:

Just FYI - there was a new patch for one of the recent Flash vulnerabilities (CVE-2015-0310) released yesterday (http://helpx.adobe.com/security/products/flash-player/apsb15-02.html).

However, there is still another unpatched vulnerability (CVE-2015-0311) that is expected to be released sometime next week (http://helpx.adobe.com/security/products/flash-player/apsa15-01.html)

isc.sans.edu has raised the Infocon Threat Level to Yellow as a result of this unpatched Flash vulnerability.

Also of note, I'm not entirely sure if Chrome is also vulnerable but apparently it wasn't being targeted from what I understand[1]. I'm not sure if this is for one or both of the reported vulnerabilities.

EMET 5.1 also appears to block the exploit in IE11 32-bit[1].

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

 

[postmortemIA]

Just when the hell will HTML 5 take a hold? Why doesn't YouTube just ditch Flash and force the HTML 5 revolution?

NoScript and Sandboxie FTW!

it did took a good hold because of mobile devices. Android and OSX browsers support it, but not Flash. Many sites will automatically switch to HTML5 player when they detect browser without Flash.

I have Flash disabled, and only site that I visit that is not on HTML5 yet is ESPN. For a few months I have enjoyed many sites mostly ad-free, since flash ads would not be loaded; but now they wised up and they're playing HTML5 ads.

 

[Elixer]

16.0.0.296 is now out...