back to article Adobe goes out of band to fix frightful Flash flaw

Adobe has issued an out-of-band fix to address what the company warns is an actively-targeted vulnerability in its Flash media plug-in. The company said that the Flash 12.0.0.44 update would address a remote code execution vulnerability present in the Windows, OS X, and Linux versions of Flash Player. Users running Chrome and …

COMMENTS

This topic is closed for new posts.
  1. fortran

    I am in western Canada. I seen notes of this out of band update a couple of hours ago on another site. On a Windows box, I just updated Firefox, Thunderbird and plugins (maybe 20 minutes ago). The Firefox check for updates did not say there was an update for Flash available.

    I also run Debian machines, and it will be a while before those filter through. But, I just did an apt-get update and checked the list of things that are updateable, and nothing flash is there yet.

    1. Paul Crawford Silver badge

      Just checked on my Linux box and found an update for flash.

      1. This post has been deleted by its author

  2. gubbool

    Thanks to Steve Jobs, I have always been afraid of anything Adobe.

    I wonder how many machines being used to watch the Super Bowl got bit by the NSA (or better) .

    1. Destroy All Monsters Silver badge

      If you watch Super Bowl you deserve what you get!

    2. Anonymous Coward
      Anonymous Coward

      >Thanks to Steve Jobs, I have always been afraid of anything Adobe.

      Indeed, everybody was pissed they couldn't watch Flash video on their iDevices at the time but the guy really did the world a service.

      I have been aggressively hating Flash ever since realizing back in ~2003 (?) that the most trivial Flash ad on a web page would usually suck up 2/3 of my laptop's battery power (and make it loud and hot to boot), not to mention the incessant security blunders and horrible update process. I still don't understand how my laptop can happily play a Blu-ray rip and be at around 20% CPU utilization but as soon as I play a crappy-quality Flash streaming video it maxes out an entire core...

    3. Michael Wojcik Silver badge

      Thanks to Steve Jobs, I have always been afraid of anything Adobe. I wonder how many machines being used to watch the Super Bowl got bit by the NSA (or better) .

      Thanks to Steve Jobs, I have always1 been afraid to watch the Super Bowl.

      1Where "always" means "since 1984".

  3. Anonymous Coward
    Mushroom

    Aaand... updated.

    Had this update in our repository within five minutes of receiving this particular advisory.

    Have to say though... considering that Patch Tuesday is a week away this must've been pretty damned urgent for Adobe to release an out-of-cycle patch. Most of the time we'd be waiting another week. Or two. Or three.

    1. Anonymous Coward
      Anonymous Coward

      Re: Aaand... updated.

      Microsoft have updated it out of cycle too. Very unusual for them.

  4. Tom 7

    Nominative Determinism

    Adobe in wet weather = latticework of sticks.

  5. David 155

    auto update?

    "Users running Chrome and Internet Explorer will automatically download the update through their browsers, while other users can obtain the fix through Adobe's Download Center."

    Does their auto updater (accessed through the control panel) not work then?

    1. Jellied Eel Silver badge

      Re: auto update?

      "Does their auto updater (accessed through the control panel) not work then?"

      Depends on your definition of 'work'. If you mean automatically launches itself at startup telling you there's a new version of Flash despite setting update checks to 'never', then no it does not work. I live in hope that some day Adobe will release an updater that simply does what you tell it to do.

  6. AJ MacLeod

    Linux Support

    The question is, do they class the Linux update as less critical because it's less vulnerable in this case or just because they couldn't care less about supporting Linux?

    1. Anonymous Coward
      Anonymous Coward

      Re: Linux Support

      "do they class the Linux update as less critical because it's less vulnerable in this case"

      No - it's just as simple to exploit Flash under Linux. That there are hardly any desktop Linux users and currently no specific targeted exploit is the reason the risk is lower.

      1. eulampios

        Re: Linux Support

        No - it's just as simple to exploit Flash under Linux.

        Is it easy to say, or easy to do?

        Have you written it for this one already so we, Linux desktop users, aka ghosts, could all try? E.g., on this system LMDE, with the kernel being 3.12.9-custom+, x86_64 GNU/Linux .

        Thanks in advance.

        1. Anonymous Coward
          Anonymous Coward

          Re: Linux Support

          To exploit the latest and greatest underlying OS as well as Flash, you would need an appropriate 0day - which would be availble for the appropriate fee in the right places. There are holes like this in Linux all the time: For instance this one last week: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0038.html

          1. eulampios
            Linux

            @ac: ignorance is a good weapon

            grep -i CONFIG_X86_X32 /boot/config-$(uname -r)

            # CONFIG_X86_X32 is not set

            I specifically gave you the name of my distro that ship their Debian kernels as most of other ones happen to be immune to this. And, btw, Canonical shipped the fix right the same day it was announced. So, dear AC, you have to admit that it's not as straightforward as you suggested, given the heterogeneity of the Linux population (which is almost non-existent according you , or whichever AC was there above)

            However, it was said by the original AC to be a piece of cake to get an exploit utilizing some Linux kernel vulnerability through this flashplayer one. In this regards, a working exploit (at least for some distros) should be provided/linked to, or a few similar ones that existed in the past.

            1. Anonymous Coward
              Anonymous Coward

              Re: @ac: ignorance is a good weapon

              That vulnerability was just an example that they arrive all the time. The Linux kernel alone has about 700+ previous known security holes and new ones are always being found. As above for the right fee, I am sure a new one would be found that would work on your specific version...

  7. Anonymous IV

    Out-of-band Flash update?

    Flash updates seem to come about twice a week, about as frequently as Adobe Reader updates.

    How easy it is to hate Adobe...

  8. Rick Giles
    Linux

    Adobe on Linux

    The version of Adobe my Saucy Salamander is reporting it has is 11.2.202.335. The one on Adobe's site says it is 11.2.202.336.

    So I guess they weren't kidding when they said they would still provide security backports for Flash on Linux...

  9. fortran

    Non issue at Debian

    This morning, there were updates for Windows, and if one runs the update-flashplugin-nonfree program on Debian, it does download and install something. But there are no notes in the security, users or flash mailing lists, and nothing in the bug reports.

  10. Gene Cash Silver badge

    Ugh.

    At least they can autodetect and provide the 64-bit version for Linux when you go to download it.

    That's better than Mozilla where you have to scrabble around their FTP site to find the 64-bit versions of Firefox and Thunderbird.

  11. eulampios

    just make flash-plugin obsolete

    A resource hog and vulnerability magnet should be avoided at any cost. For youtube pretty much any decent video can be used (10 times more efficiently) sometimes with help of youtube-dl, e.g.:

    1) mplayer $(youtube-dl -g link-to-youtube-video)

    2) vlc link-to-youtube-video

    3) totem link-to-youtube-video

    and so forth...

    On some other sites it might be possible to find the video source by examining the html source. Then use flvstreamer or a player of your choice. In more intricate situations to resort to tcpdump (you still have to run flashplayer for a few seconds to "sniff" the source of the video).

  12. GoingGoingGone

    What about my trusty Playbook, TouchPad and Xoom?

    Or any other of the other billion Android devices still in circulation which were shipped with Flash which is no longer updated?

    Will also have to check if my Surface (WinRT) prompts for the autoupdate. My Chromebook did indeed. Did BB10 owners get the update too? Is this stuff sandboxed so we need not to worry?

    PS: The Playbook is still being sold as 'new' in quite a few places. They might have to eventually go on to negative price to get rid of them all. How many of them did the poor sods at BB make?

    - The owner of the 1001 (mostly dead) platforms

This topic is closed for new posts.

Other stories you might like