Update: Adobe has released an update to counter the zero-day exploit

[Ketchup]

Well, this is odd. I was looking at the add-ons on my home desktop. and I see this:

That is the latest version of Flash I am seeing, running Firefox 35.0.1. Anyone else seeing this?

Update: Adobe has just released an update to counter this exploit:
http://www.scmagazine.com/adobe-rol...s-fix-for-latest-zero-day-bug/article/396491/

Downloads available here if you need them:
http://www.neowin.net/news/adobe-flash-player-1600305

 

[OlyAR15]

image isn't showing up.

 

[Chiefcrowe]

Just checked my plugins via FF and it reported that it is "vulnerable
16.0.0.296" when that is the latest version out right now, so I am not sure why that is.

 

[Ketchup]

image isn't showing up.

I am not sure why it isn't showing up for you. I just tried it on two different computers with two different browsers (which aren't signed into the forums) and it comes up just fine.

Anyone else having issues?

 

[Red Squirrel]

Been getting this for a while in Linux, and if I try to update it, it just points me to Flash's site, and it fails if I try to do it there. Have not bothered yet to try to do it manually. The current one I have is installed via package manager so I hate to try to do things manually and possibly end up with two versions or some kind of conflict.

In Mint 17.1 it's "vulnerable" out of the box and the popup is very annoying. I don't see what the point of this warning is, flash is ALWAYS vulnerable, but unfortunately lot of sites still use it so you still need it to work.

 

[BarkingGhostar]

LM17 s/w mgr just pushed a LM-based Flash update today.

 

[ninaholic37]

This was happening to me about two days ago in Linux. I had 11.2.202.425 so I upgraded to 11.2.202.440 and that got rid of the annoying warnings.

 

[lxskllr]

I am not sure why it isn't showing up for you. I just tried it on two different computers with two different browsers (which aren't signed into the forums) and it comes up just fine.

Anyone else having issues?

Not showing up for me. PrivacyBadger is marking s22.postimg.org as a tracker, and blocking it.

My version in Debian is marked vulnerable, but I'm not especially concerned. I keep it blocked 99.9% of the time, and am || close to just uninstalling it.

 

[ninaholic37]

I don't see what the point of this warning is, flash is ALWAYS vulnerable, but unfortunately lot of sites still use it so you still need it to work.

I agree. I only turned it on because I wanted to play Guitar Flash on Facebook. I wonder if downgrading to version 10 or 9 will stop the warnings. :hmm:

 

[Ketchup]

Thanks lxskllr. The image is from postimage.org. Ghostery blocked the first image, but didn't block the it once I brought up the full image.

 

[ninaholic37]

I wonder if downgrading to version 10 or 9 will stop the warnings. :hmm:

Success! I removed 11.2.202.440 and installed 10.3.183.90 (June 11, 2013) and it gives no warnings! If the v10 series lasted over 1.5 years without warnings and still works for everything you want to do, perhaps it's better to stick to that version.

 

[ninaholic37]

Interestingly, 11.2.202.228 (April 5, 2012) doesn't give me a warning either, but I heard that 11.2.202.335 will (January 14, 2014), so it seems that the v11 series (and all the others above it) was only contaminated with this "need to upgrade to work" bug some time after June 2013 and before 2014, as far as I can tell...

 

[Ketchup]

It is odd. I cannot Google anything from Mozilla about this version being vulnerable. Maybe it's just a bug.

 

[Ig]

http://blog.trendmicro.com/trendlab...ash-zero-day-exploit-used-in-malvertisements/
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

The latest version is vulnerable. Adobe hasn't released a fix yet.

 

[ninaholic37]

http://blog.trendmicro.com/trendlab...ash-zero-day-exploit-used-in-malvertisements/
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

The latest version is vulnerable. Adobe hasn't released a fix yet.

Ah, version 16 and 13 only. Linux Firefox 11.2.202.440 is ok then :thumbsup:

 

[Ketchup]

http://blog.trendmicro.com/trendlab...ash-zero-day-exploit-used-in-malvertisements/
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

The latest version is vulnerable. Adobe hasn't released a fix yet.

Good find; thank you. Interesting how it is affecting non-sequencial versions.

 

[Chiefcrowe]

Aha! that makes sense. So hopefully we'll see a fix this week.

http://blog.trendmicro.com/trendlab...ash-zero-day-exploit-used-in-malvertisements/
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

The latest version is vulnerable. Adobe hasn't released a fix yet.

 

[John Connor]

I'm surprised no one mentions why VLC is always showing vulnerable. It seems Mozilla and VLC point fingers at each other on why the version is showing vulnerable.

I'm referring to the web-based plugin.

 

[corkyg]

A few days ago, I got an email from Malwarebytes that may shed some light on the specific FLASH problem.

"Recently Kafeine, a keen malware hunter and friend of Malwarebytes, discovered a new (zero-day) exploit that attacks Adobe Flash Player. Distributed through the Angler Exploit Kit, the zero-day delivers malware that takes control of your computer to commit click fraud."

 

[ninaholic37]

I'm surprised no one mentions why VLC is always showing vulnerable. It seems Mozilla and VLC point fingers at each other on why the version is showing vulnerable.

I'm referring to the web-based plugin.

What does the VLC web plugin actually do? I thought it was to play Youtube videos but that doesn't seem to work, Youtube ignores it and always goes to Flash or HTML5.

 

[mikeymikec]

I'm running the latest version of FF and Flash, no warnings here (Win7 64).

I've never bothered to install the VLC web plug-in; I generally regard plug-ins to be a great way to introduce extra vulnerabilities to one's set-up. I'll tolerate Flash because it's pretty much a requirement for a lot of sites to work, but I have it set to 'ask to activate' in FF.

My wife had the "Flash vulnerable" message earlier today on YT. It was really odd as her version of FF was so out of date that it had to update twice. It still complained after updating FF (which didn't surprise me at the time). I didn't bother to check the Flash version before she updated it immediately afterwards. No more warning.

 

[John Connor]

What does the VLC web plugin actually do? I thought it was to play Youtube videos but that doesn't seem to work, Youtube ignores it and always goes to Flash or HTML5.

Specific applications like MP4 or MP3. If you are using Firefox, Pale Moon or Cyberfox you can see what VLC defaults to under Tools | Options | Applications.

 

[John Connor]

I've never bothered to install the VLC web plug-in; I generally regard plug-ins to be a great way to introduce extra vulnerabilities to one's set-up. I'll tolerate Flash because it's pretty much a requirement for a lot of sites to work, but I have it set to 'ask to activate' in FF.

Crap, I would bet VLC is more secure than flash. It seem there is a vulnerability for Flash once a month.

 

[Red Squirrel]

What I don't get about how insecure flash is, is why does the flash application even have code that allows those things to happen? Flash is basically a client to display information. It should not actually be able to DO things that change your computer. It should only be able to display you content.

Another one that always gets me even more is PDFs. Those are basically glorified images that require an overcomplicated viewer. Why is there so many exploits in those products?

 

[Bock]

Too fix it, go to adobes flash website, download and install. works from that point on