Adobe patches Flash against latest flaw - but how long until the next zero-day bug?

Flash patchGood news for the many users of Flash out there - Adobe has issued a fixed version (16.0.0.305) which reportedly fixes a vulnerability that has been exploited by web adverts on sites such as DailyMotion.

The vulnerability, which exists in all supported platforms including Windows, Mac OS X and Linux, is known as CVE-2015-0313, and was being actively exploited by hackers who were installing malware on visiting computers running Internet Explorer and Firefox on Windows 8.1 and earlier.

According to an updated Adobe security advisory, automatic updates began rolling out yesterday:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

Sure enough, when I checked my Mac System Preferences I was able to determine that Flash had automagically updated itself without me having to do anything.

Flash updated

You can check which version of Flash you have installed on your computer here.

Earlier this week I explained how to enable click to play in your web browser to prevent Flash elements from automatically running when you visit a webpage which contains Flash content - and this continues to be a good idea to better protect yourself from future attacks.

The sad truth is that this is just the latest in a series of recently-discovered exploitable vulnerabilities in Flash. It's not going to be the last. Chances are that there is another zero-day vulnerability in Adobe Flash just around the corner.

Protect yourself now by either removing Flash from your computers or (if as is likely) you decide that's unviable, enabling "Click to Play" to give your computers an additional layer of protection against Flash attacks.

Alternatively, keep your head in the sand and sing along with the following...

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

3 Responses

  1. John

    February 6, 2015 at 1:16 pm #

    Thanks for these updates. Your work is so helpful these days!

    After you last article, I decided to set all browsers into the click-and-play mode. After browsing for about a day, I must say that I am quite shocked by the number of sites that still rely on Flash, and do so heavily. Who ever heard about HTML5, errr… ?? That, in itself, makes me think: "if they can't or won't move their site to HTML5, what else should I not be trusting here?".

    So thank you for your input – and hell, I will certainly keep clicking, although sometimes it's a bit of a hassle.

  2. Chris Thomas

    February 7, 2015 at 5:49 pm #

    Windows (XP and later) users can harden their web browser processes by using Malwarebytes Anti-Exploit which is free when web browsers alone are protected. Anti-Exploit Free protects browsers with the following executable filenames: –
    chrome.exe
    firefox.exe
    iexplore.exe
    opera.exe

    Anti-exploit protection covers plugins run by the above. This includes Adobe Flash.

    I have no connection with Malwarebytes, a highly reputable and respectable firm.

  3. Chris Thomas

    February 10, 2015 at 11:43 am #

    I have a hunch that Adobe Flash is lighter on computer resources than HTML5 alternatives. I find that Youtube plays far smoother when played on Opera 12 than on Firefox 35. Hmmmmm.

Leave a Reply