back to article Adobe finds, patches ANOTHER exploited Flash 0day

Another exploited zero-day vulnerability has been uncovered and patched in Adobe Flash, 24 hours after a second flaw in the popular web trinket was found being used in attack kits. Adobe is examining yesterday's zero day, picked up by French researcher Kafeine who spotted it after analysing a version of the popular Angler …

  1. Anonymous Coward
    FAIL

    Flash seems like the most bug-ridden and damaged piece of software still in use today.

    If we all stopped allowing it on our machines, what would we really miss out on? Anything more than Ads and cat videos?

    iPads and iPhones have got along just fine without Flash for years now.

    Maybe it's time for a mass uninstall - get Adobe off our machines today!

    1. Anonymous Coward
      Anonymous Coward

      Anon4this

      "If we all stopped allowing it on our machines, what would we really miss out on? Anything more than Ads and cat videos?"

      Streaming porn and cam sites.

    2. TheVogon

      "Flash seems like the most bug-ridden and damaged piece of software still in use today."

      You must have not yet experienced the wonders of Java then...

    3. Sandtitz Silver badge
      WTF?

      "Flash seems like the most bug-ridden and damaged piece of software still in use today."

      Worst.Program.Ever?

      Chrome 40 - 62 security fixes, released two days ago.

      Chrome 39 - 42 security fixes, released Nov 2014

      Chrome 38 - 158 security fixes, released Oct 2014

      There was 5 more releases last year alone and I can't be bothered to check the rest of the release notes.

      But hey, maybe Google now really did smite the last remaining bugs!

      1. pixl97

        Re:Sandtitz

        Chrome did have a lot of bugs. In fact I assume all browsers have a great number of bugs because they try to do everything and the kitchen sink. That said, both Chrome and FF update quickly when there are active exploits in the wild. With IE you'll have to wait till patch Tuesday, unless it is really bad. Adobe is rather hated for taking a long time to patch exploits, and even worse, their update program taking forever to actually update, with the default setting of check once a week.

    4. John Tserkezis
      Facepalm

      "If we all stopped allowing it on our machines, what would we really miss out on?"

      I would love to, but right now, it's just not possible.

      Among other things, I get two different subscription online magazines that are delivered via, well, flash.

      Ironically, and perhaps much more sadly, they're both electronics and computing engineering rags.

      A forehead slap just isn't enough here.

    5. Anonymous Coward
      Anonymous Coward

      Cat videos? Youtube now uses html5 player so that isn't an issue. For desktop, the issue is that most big sites still choose flash to deliver content.

      Sites that use Flash:

      CNN, BBC, Foxnews, Bank of America, Citibank, NFL, UEFA, the list is endless. Oh yeah porn makes up 30 percent of all internet traffic whether you like it or not.

      Unless you seriously do everything from tablet or phone, that can be a problem.

    6. kb
      Facepalm

      Quite a lot actually

      Well lets see, HTML V5 is pretty much useless for web animation and web games, so all those are out, its an insane resource hog on anything without H.264 acceleration, so all your older PCs and phones and tablets? yeah those are out too. What else, oh yeah HTML V5 has baked in DRM thanks to Apple and MSFT, and only supports a codec that is one of the biggest patents landmines in history so Linux users? Yeah you can give up now, You have to be one of the big three (Apple, Google or MSFT) or you'll be committing patent infringment and with HTML V5 DRM so easy to use most videos? Yeah you aren't gonna be able to watch 'em.

      Does Flash need a better alternative? Sure it does, its creaky and old and buggy as hell. But sadly instead of demanding something actually BETTER than what we have what is happening is corporate interests are ramming through a "standard" that is about as user friendly as the first XB-One press conference. There is a whole lot for big corps and big media to like about HTML V5, requires new hardware, has DRM, lots of lock in, for the end user? Yeah not so much, pretty much worse than Flash in every way, worse CPU and memory usage, worse codec support, worse game and animation support, nothing but worse all the way round.

  2. James 29

    Great idea, but on Windows 8 its part of the system (and part of the browser in Chrome)

    My only way to avoid this tech currently is to use Firefox and not install the plugin

    I dont miss Flash, and noticed increasing numbers of sites (using videos etc) that work fine without it

    The new BBC News site also does if you fudge your user agent

    1. Mystic Megabyte

      yes

      "The new BBC News site also does if you fudge your user agent"

      Details please!

      1. Dan 55 Silver badge

        Re: yes

        I suppose you fudge it to iPad or maybe Safari on Mac.

    2. Anonymous Coward
      Anonymous Coward

      "...you fudge your user agent"

      Given the suggested usage for Flash (Gentlemens' Pictorial Stress Relief), I'm wondering if "you fudge your user agent" is a euphemism for something else entirely.

  3. Richard Ball
  4. Anonymous Coward
    Anonymous Coward

    Wasn't Flash supposed to be history by now?

    I thought HTML5 was the future?

    1. Destroy All Monsters Silver badge
      Trollface

      Re: Wasn't Flash supposed to be history by now?

      Silverlight is still out there, too, you know.

      It's Freddy and Jason do dance in your browser.

      That change owes much to Adobe security boss Brad Arkin who implemented a strategy that sped the time-to-patch from 10 weeks in 2009 when Arkin joined as a product security bod to a recent record of 36 hours.

      You can say what you want, but I would consider this as "taking security seriously". Microaoft doesn't even manage to reach circular orbit around this kind of deadline.

      1. TheVogon

        Re: Wasn't Flash supposed to be history by now?

        "Microaoft doesn't even manage to reach circular orbit around this kind of deadline."

        You must have missed:

        https://technet.microsoft.com/library/security/2755801

        Less than 24 hours from vulnerability to shipped patch.

  5. DerekCurrie
    Megaphone

    Flash 16.0.0.268 is the current patched version.

    I'm pointing this out because language in the article would lead casual readers to believe that:

    "The vulnerability affected Flash Player versions up to 15.0.0.223 and the latest 16.0.0.257."

    When in fact that latest is now 16.0.0.268, which hopefully patched the vulnerability.

    Adobe:

    Flash BAD!

    Speed of response GOOD!

    1. Anonymous Coward
      Anonymous Coward

      No, version 16.0.0.286 and lower are affected

      "TL:DR Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled."

      Not sure where register is quoting from but the original analyst clearly state that there is a zero day the Jan 22 patch did not address.

      However, Adobe already has a new patch for the new exploit. Patch ver 16.0.0.296, already being distributed through its auto update mechanism. Stand Alone installer will be released on Monday. The vulnerability was first reported on 1-21. A patch was issues 1-24 so 2 or 3 day from investigation to patch. Pretty good turnaround, but that is little does little for the people were already infected.

      http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

  6. W. Anderson

    It is unfortunate that so much of Internet/Web software and services were designed to work only on Flash. Hopefully implementations of HTML5 will progress quickly to provide a far superior and less disastrous bug-ridden solution than is Flash.

    Adobe is idiotic in not Open Sourcing Flash many years ago, and it is mind-boggling that the Linux Foundation has accepted Adobe as a member/sponsor while the company refused to officially support all Free/Open Source Software (FOS) Operating Systems - Linux and BSDs..

    Apple did the right thing. Abandon the crappy software all together.

  7. Nordrick Framelhammer

    Who is copying from who

    Is it Adobe copying Oracle's crappy, buggy, insecure coding practices or is it vice versa.

    Or do I have completely the wrong end of the stick and are they in competition to see who can release the most versions with exploits in a year?

  8. Anonymous Coward
    Anonymous Coward

    ADOBEEEEEEEAST!!!

    I actively block the Adobeast!

  9. JCitizen
    Coffee/keyboard

    Flash

    Seems like most sites play with any modern browser without the flash application installed. For those of us that have to have flash installed for other applications to work you should have version 16.0.0.296 for all types installed.

    Many experts on Krebs on Security maintain it did not completely mitigate the vulnerability. It is causing a lot of confusion, but having EMET 5.1 is always a good thing to have on board. As far as flash goes, Chrome uses their own in house version, and the Chrome update addressed a pot load of vulnerabilities to that browser as well. All modern browsers newer and including IE-11 seem to play most flash videos without any special Adobe products in your programs folders. There are two applications:

    1. flash for Internet Explorer - Active X

    2. flash for non-IE browsers - Plug-in

    As far as I know number two is only for FireFox; any corrections are welcome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like