Hey all, Just an update. A 0day exploit has been discovered in Flash, 16.0.0.257 and below. Adobe has released an update to 16.0.0.287 which fixes this issue. All users should update to the latest flash immediately. It isn't known how far back this hold exists, but at this time assume all versions are affected.
Tyler Downer said
correction, this most recent update from adobe doesn't fully correct the security issue. Users should be prepared to update Flash when it's updated. We will be pursuing a Flash blocklist ASAP
Since it's not just a Firefox 35 issue, I thought I should post this in its own thread.
Adobe's security bulletin APSB15-02 has more info, including this:
Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild. For the latest information, please refer to the PSIRT blog here.
Here's the bug for the current Flash Player blocklist request:
Bug 1124654 - Blocklist request for flash 0day affected version 16.0.0.257
Once the block takes effect for Flash Player , we can refer users to the article, Why do I have to click to activate plugins? since it will likely be a "Click to Play" block. (As for me, I've had Flash Player set to "ask to activate" for ages).
This was posted today in the [/forums/contributors/711010 Firefox 35 Release / Issues / Status] thread.
''Tyler Downer said''
<blockquote>
Hey all, Just an update. A 0day exploit has been discovered in Flash, 16.0.0.257 and below. Adobe has released an update to 16.0.0.287 which fixes this issue. All users should update to the latest flash immediately. It isn't known how far back this hold exists, but at this time assume all versions are affected.
</blockquote>
''Tyler Downer said''
<blockquote>
correction, this most recent update from adobe doesn't fully correct the security issue. Users should be prepared to update Flash when it's updated. We will be pursuing a Flash blocklist ASAP
</blockquote>
Since it's not just a Firefox 35 issue, I thought I should post this in its own thread.
Adobe's security bulletin [http://helpx.adobe.com/security/products/flash-player/apsb15-02.html APSB15-02] has more info, including this:
Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild. For the latest information, please refer to the PSIRT blog [http://blogs.adobe.com/psirt/ here].
Here's the bug for the current Flash Player blocklist request:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1124654 Bug 1124654] - Blocklist request for flash 0day affected version 16.0.0.257
Once the block takes effect for Flash Player , we can refer users to the article, [[Why do I have to click to activate plugins?]] since it will likely be a "Click to Play" block. (As for me, I've had Flash Player set to "ask to activate" for ages).
''AliceWyman [[#post-63786|said]]''
<blockquote>
Here's the bug for the current Flash Player blocklist request:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1124654 Bug 1124654] - Blocklist request for flash 0day affected version 16.0.0.257
</blockquote>
That blocklist request now also covers Flash 16.0.0.287 (and earlier versions).
Adobe's updated security bulletin:
http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
Flash player version 16.0.0.296 is now available, from https://www.adobe.com/products/flashplayer/distribution3.html
UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post. * {my emphasis}
The linked post is https://forums.adobe.com/thread/1152367 That has an interactive button Simply click the "Check Now" button and you'll be presented with a short message and detailed information regarding your Flash Player installation. That gives incorrect information when tried from Linux. I have not tried it on Windows
The bulletin continues on to say use http://www.adobe.com/products/flash/about/ to check your version. That does Identify my FlashPlayer version correctly. But I guess we will need to wait for the 26th before it updates to list the correct secure versions.
This seems to be a rather clumsy update from Adobe, rushed at a weekend I suppose.
The security bulletin updated 24th Jan
*[http://helpx.adobe.com/security/products/flash-player/apsa15-01.html apsa15-01.html] <blockquote>UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this '''post. [https://forums.adobe.com/thread/1152367 *]''' {my emphasis}</blockquote>
* The linked '''post''' is https://forums.adobe.com/thread/1152367 <br /> That has an interactive button <br />''Simply click the "Check Now" button and you'll be presented with a short message and detailed information regarding your Flash Player installation.'' <br />That gives '''incorrect''' information when tried from Linux. I have not tried it on Windows
* The bulletin continues on to say use http://www.adobe.com/products/flash/about/ to check your version. <br />That does Identify my FlashPlayer version correctly. But I guess we will need to wait for the 26th before it updates to list the correct secure versions.
See Bug 1124654 - Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
Daniel Veditz [:dveditz] 2015-01-25 10:23:30 PST
<snip>
The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
See [https://bugzilla.mozilla.org/show_bug.cgi?id=1124654 Bug 1124654] - Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
-----
Daniel Veditz [:dveditz] 2015-01-25 10:23:30 PST
<snip>
The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
-----
Flash Player 11.2.202.440 (Linux) is now available from https://www.adobe.com/products/flashplayer/distribution3.html
<snip>
The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
For some reason the 11.2.202.438 kept still showing up as 11.2.202.429 for ne even after a few tries even though it was properly pointing to new version in about:plugins however the 11.2.202.440 does show up as 11.2.202.440 correctly.
''AliceWyman [[#post-63816|said]]''
<blockquote><snip>
The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
-----
Flash Player 11.2.202.440 (Linux) is now available from https://www.adobe.com/products/flashplayer/distribution3.html
</blockquote>
For some reason the 11.2.202.438 kept still showing up as 11.2.202.429 for ne even after a few tries even though it was properly pointing to new version in about:plugins however the 11.2.202.440 does show up as 11.2.202.440 correctly.
The http://www.adobe.com/products/flash/about/ currently shows 11.2.202.438 as current as I guess 11.2.202.440 is not officially out till Jan 26 as http://get.adobe.com/flashplayer/ still has 11.2.202.438.
''James [[#post-63817|said]]''
<blockquote>
The http://www.adobe.com/products/flash/about/ currently shows 11.2.202.438 as current as I guess 11.2.202.440 is not officially out till Jan 26 as http://get.adobe.com/flashplayer/ still has 11.2.202.438.
</blockquote>
Those pages haven't been updated for Windows either, even though 16.0.0.296 is available for Windows and Mac from https://www.adobe.com/products/flashplayer/distribution3.html (11.2.202.440 is listed for Linux).
By the way, I was able to download and install Flash 16.0.0.296 on my iMac (OS X 10.6.8) from the Apple menu -> System Preferences /Other -> Flash Player -> Advanced /Updates by clicking on "Check Now".
Ref: http://helpx.adobe.com/flash-player/kb/flash-player-background-updates.html#Change%20your%20update%20settings
The linked post is https://forums.adobe.com/thread/1152367 That has an interactive button Simply click the "Check Now" button and you'll be presented with a short message and detailed information regarding your Flash Player installation. That gives incorrect information when tried from Linux. I have not tried it on Windows
Congratulations, your computer has the latest Flash Player beta version installed. ( Your version16.0.0.296 Latest Version16.0.0.287 )
''John99 [[#post-63813|said]]''
<blockquote>
The security bulletin updated 24th Jan
*[http://helpx.adobe.com/security/products/flash-player/apsa15-01.html apsa15-01.html] <snip>
* The linked '''post''' is https://forums.adobe.com/thread/1152367 <br /> That has an interactive button <br />''Simply click the "Check Now" button and you'll be presented with a short message and detailed information regarding your Flash Player installation.'' <br />That gives '''incorrect''' information when tried from Linux. I have not tried it on Windows
</blockquote>
On Windows, the "Check Now" button at http://helpx.adobe.com/flash-player.html tells me this:
Congratulations, your computer has the latest Flash Player beta version installed. ( Your version16.0.0.296 Latest Version16.0.0.287 )
Adobe Security Bulletin [http://helpx.adobe.com/security/products/flash-player/apsb15-03.html apsb15-03] was released yesterday and http://get.adobe.com/flashplayer/ is now updated.
https://addons.mozilla.org/en-us/firefox/blocked/
*January 28, 2015: [https://addons.mozilla.org/en-us/firefox/blocked/p828 Flash Player Plugin 15.0.0.243 to 16.0.0.2'''87''' (click-to-play)]
*January 28, 2015: [https://addons.mozilla.org/en-us/firefox/blocked/p826 Flash Player Plugin on Linux 11.2.202.425 to 11.2.202.4'''39''' (click-to-play)]
*January 28, 2015: [https://addons.mozilla.org/en-us/firefox/blocked/p824 Flash Player Plugin 13.0.0.259 to 13.0.0.2'''63''' (click-to-play)]
the blocklist is now live but the plugincheck page has multiple issues which will likely cause lots of confusion amongst users (users get redirected to the plugin check when they click on the red "check for update" button on the blocked plugin content):
for firefox 35 users the plugincheck page will hang and not return results when there's an outdated version of java present and users don't click-to activate: bug #1110451
the plugincheck isn't working correctly in firefox versions pre-34 (including 31ESR) and will report report old flash versions as up to date - so one part of firefox is telling users that their version is vulnerable and they should update & the part responsible for the update says the opposite. that's bug #1084537
edit: i just tried it myself and the plugincheck page seems to hang regardless if java is present or not - on irc it was confirmed that it is a load issue on the servers:
http://i.imgur.com/D5gJxkx.png
the blocklist is now live but the [https://www.mozilla.org/plugincheck/ plugincheck page] has multiple issues which will likely cause lots of confusion amongst users (users get redirected to the plugin check when they click on the red "check for update" button on the blocked plugin content):
* <s>for firefox 35 users the plugincheck page will hang and not return results when there's an outdated version of java present and users don't click-to activate: [https://bugzilla.mozilla.org/show_bug.cgi?id=1110451 bug #1110451]</s>
* the plugincheck isn't working correctly in firefox versions pre-34 (including 31ESR) and will report report old flash versions as up to date - so one part of firefox is telling users that their version is vulnerable and they should update & the part responsible for the update says the opposite. that's [https://bugzilla.mozilla.org/show_bug.cgi?id=1084537 bug #1084537]
edit: i just tried it myself and the plugincheck page seems to hang regardless if java is present or not - on irc it was confirmed that it is a load issue on the servers:
http://i.imgur.com/D5gJxkx.png
If people need to update Flash and are having problems with the PluginCheck page, you can tell them to simply follow the instructions in Flash Plugin - Keep it up to date and troubleshoot problems under "Updating Flash". That article links to the Flash Player download page and, for Windows, includes a direct .exe link to the full Flash Player installer for people having problems.
What's happening is that, when the Flash plugin is blocked, people see this:
;[[Image:Click to play 1 new]]
The "Check for updates..." button takes them to the Plugin Check webpage (ref: [[Why do I have to click to activate plugins?#w_how-click-to-activate-works]]) which may be having issues.
If people need to update Flash and are having problems with the PluginCheck page, you can tell them to simply follow the instructions in [[Flash Plugin - Keep it up to date and troubleshoot problems#w_updating-flash]] under "Updating Flash". That article links to the [http://get.adobe.com/flashplayer Flash Player download page] and, for Windows, includes a direct .exe link to the full Flash Player installer for people having problems.
edit: i just tried it myself and the plugincheck page seems to hang regardless if java is present or not - on irc it was confirmed that it is a load issue on the servers:
http://i.imgur.com/D5gJxkx.png
Bug 1127268 - Plugins.mozilla.org overrun due to users from Flash Blocklist link
''philipp [[#post-63882|said]]''
<blockquote>
edit: i just tried it myself and the plugincheck page seems to hang regardless if java is present or not - on irc it was confirmed that it is a load issue on the servers:
http://i.imgur.com/D5gJxkx.png
</blockquote>
*[https://bugzilla.mozilla.org/show_bug.cgi?id=1127268 Bug 1127268] - Plugins.mozilla''.''org overrun due to users from Flash Blocklist link
the plugin check results are really all over the place - now it is showing the current 16.0.0.296 as vulnerable. as it stands currently, the site is really causing more harm and confusion than helping the users :-/
edit: ok, there's actually a new 0-day vulnerability around, so adobe can't keep up with all its fixes as it appears...
the [https://www.mozilla.org/en-US/plugincheck plugin check results] are really all over the place - now it is showing the current 16.0.0.296 as vulnerable. as it stands currently, the site is really causing more harm and confusion than helping the users :-/
edit: ok, there's actually a new 0-day vulnerability around, so adobe can't keep up with all its fixes as it appears...
A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.
Affected software versions
Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.264 and earlier 13.x versions
Linux was mentioned then removed as it is not affected.
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
<blockquote>A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.</blockquote>
<blockquote>Affected software versions
Adobe Flash Player 16.0.0.2'''96''' and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.2'''64''' and earlier 13.x versions</blockquote>
Linux was mentioned then removed as it is not affected.
UPDATE (February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.
February 4, 2015 - updated to include Flash Player version delivered via auto-update.
According to revision of https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
<blockquote>UPDATE (February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.'''305''' beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.</blockquote>
<blockquote>February 4, 2015 - updated to include Flash Player version delivered via auto-update.</blockquote>
https://www.adobe.com/products/flashplayer/distribution3.html
flash player 16.0.0.'''305''', 13.0.0.2'''69''' esr and the 11.2.202.4'''42''' for Linux is now available for download.
New https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
The Blocklist has been updated. https://addons.mozilla.org/firefox/blocked/
February 5, 2015: [https://addons.mozilla.org/firefox/blocked/p832 Flash Player Plugin 16.0.0.295 to 16.0.0.30'''4''' (click-to-play)]
February 5, 2015: [https://addons.mozilla.org/firefox/blocked/p834 Flash Player Plugin 13.0.0.263 to 13.0.0.26'''8''' (click-to-play)]
February 5, 2015: [https://addons.mozilla.org/firefox/blocked/p830 Flash Player Plugin on Linux 11.2.202.439 to 11.2.202.44'''1''' (click-to-play)]
When trying the direct Flash Player DL link used in Sumo’s articles to get the 16.0.0.306 Flash update yesterday, it was working but still pointing to the older 16.0.0.296 version. The same was true for the link mentioned on their distribution page mentioned above. Today, the link we use has been updated allright, but the one on the distribution page still hasn't (!) at the time of writing this, even though the page calls it 16.0.0.305. In any case Adobe wasn’t quick on updating their direct/full installers recently, though they stated they would expect to release the ‘manual’ update afterwards on Feb. 5 (see above) while it even became Feb. 6.
This means users who rely on the manual DL link weren't able to update their player for the past few days (either at Adobe’s pages or Sumo), hence were exposed to a serious vulnerability unless blocking it, and may have thought there's something wrong with either the KB article, the Plugin Check page, or Firefox/Thunderbird itself. My concern: Would there be a better way of providing an up-to-date link for Adobe or Mozilla (I guess not)?
I find this a little furstrating to say the least, as the system used here relies on the manual update file because the auto updater doesn’t work (i.e. when set to notify on updates, I never see any notification) and the installer obtained from the main download center simply doesn't do a thing besides lingering as a process in Task Manager. This may be related to the fact the system involved uses a 32 bit OS (Win) on a 64 bit CPU and the installer being not smart enough to get that, though that’s only an assumption. I've wanted to point this out to Adobe several times, but am not willing to sign up for some forum in order to contact them.
If anyone at Mozilla is able to point out both issues to Adobe (i.e. a working installer in any case and a full-proof and quickly updated direct DL link), it would be great. And if this would result in the need to add some info to related articles or templates, of course…
When trying the direct Flash Player DL link used in Sumo’s articles to get the 16.0.0.306 Flash update yesterday, it was working but still pointing to the older 16.0.0.296 version. The same was true for the link mentioned on their [http://www.adobe.com/nl/products/flashplayer/distribution3.html distribution page] mentioned above. Today, the link we use has been updated allright, but the one on the distribution page ''still hasn't'' (!) at the time of writing this, even though the page calls it 16.0.0.305. In any case Adobe wasn’t quick on updating their direct/full installers recently, though they stated they would expect to release the ‘manual’ update afterwards on Feb. 5 (see above) while it even became Feb. 6.
This means users who rely on the manual DL link weren't able to update their player for the past few days (either at Adobe’s pages or Sumo), hence were exposed to a serious vulnerability unless blocking it, and may have thought there's something wrong with either the KB article, the Plugin Check page, or Firefox/Thunderbird itself. My concern: Would there be a better way of providing an up-to-date link for Adobe or Mozilla (I guess not)?
I find this a little furstrating to say the least, as the system used here relies on the manual update file because the auto updater doesn’t work (i.e. when set to notify on updates, I never see any notification) and the installer obtained from the main download center simply doesn't do a thing besides lingering as a process in Task Manager. This may be related to the fact the system involved uses a 32 bit OS (Win) on a 64 bit CPU and the installer being not smart enough to get that, though that’s only an assumption. I've wanted to point this out to Adobe several times, but am not willing to sign up for some forum in order to contact them.
If anyone at Mozilla is able to point out both issues to Adobe (i.e. a working installer in any case and a full-proof and quickly updated direct DL link), it would be great. And if this would result in the need to add some info to related articles or templates, of course…