Adobe Releases Out of Band Security Update For Flash Player

Earlier today Adobe published a security bulletin to announce the availability of a security update for Flash Player it’s web browser plugin. This update can be considered “out of band” since it was not released according to Adobe’s usual schedule of issuing updates on the second Tuesday of the month (however this update does contain the updates that were intended to be released next week).

This update resolves 36 CVEs (definition of the term CVE) one of which was among the zero day exploits (zero day defined) found after a large release of documents from Italian hacking firm “Hacking Team” as a result of a data breach. Further analysis of this use-after free-flaw is available in this Trend Micro blog post. More details concerning an explanation of a use-after-free vulnerability are available in this blog post.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome 43 have received this update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1.

As always I would recommend that if you have Flash Player installed to install the necessary updates as soon as possible since the zero day flaw (CVE-2015-5119) is being exploited by multiple exploit kits at this time. You can check if you have Flash Player installed using this page.

Update: 11th July 2015: According to this blog post from FireEye, another Adobe Flash Player vulnerability has been made public as a result of the data breach involving the “Hacking Team”. Adobe plans to address this remaining vulnerability next week. I will update this blog post when the next set of appropriate updates are made available.

Update: 13th July 2015: A third zero day vulnerability has been found in Adobe Flash according to Trend Micro. As stated above, further patches are expected from Adobe this week which will address these remaining vulnerabilities. Adobe’s security advisory has been updated to reflect this further zero day vulnerability.

While these updates are pending release, I would recommend enabling Click-to-Play for your browser (supported by all major web browsers with the exception of Internet Explorer) so that Flash will ask permission before performing any action. US-CERT also provides further advice in this vulnerability note.

Update: 20th July 2015: Apologies for the delay in updating this post. As mentioned in my July update summary post, Adobe released a Flash Player update to resolve the remaining 2 zero day flaws. Please install the update as soon as possible.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s