Good news from Adobe about CVE-2015-0311, the unpatched zero-day in Flash.
Adobe’s original advisory, APSA15-01, issued on 2015-01-22, warned of a Flash vulnerability being actively targeted in the wild.
The advisory noted that a patch was being worked on post-haste, but would probably only ship some time in the week starting 2015-01-26.
With active attacks going on, but no official patch, we offered a number of mitigations that you could try while you were waiting.
→ Our Flash security tips will protect you next time, so they’re worth looking at anyway.
The good news is that Adobe got its patch ready early, although you can only get it via auto-update at the moment.
According to a note added on 2015-01-24 to the APSA15-01 advisory:
Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 126.96.36.1996 beginning on January 24. This version includes a fix for CVE-2015-0311.
But if you prefer to download Adobe’s corporate-flavour standalone installers, you’ll have to wait a bit longer:
Adobe expects to have an update available for manual download during the week of January 26.
The standalone installers do just what they say: instead of a small stub installer that goes online every time you run it to fetch the rest of the Flash software, the standalones are completely self-contained. (Please read Adobe’s FAQ before using the standalones.)
This means you can install the latest Flash Player even on a computer that is disconnected from the internet.
Better yet, the standalone installers don’t include any foistware – by that, we mean the various third-party software products that Adobe leans on you to install along with Flash.
Lastly, the Flash components from Adobe that are built into some third-party browsers aren’t quite ready yet:
We are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
The bottom line
If you have your own installation of Flash, you can update it right now (if it hasn’t updated itself already) and get patched against the recently-announced CVE-2015-0311 zero-day.
If you have updates set to “Notify” or “Never check”, you can force an update using the [Check Now] feature, as you see here, for example, in the OS X System Preferences:
Well done to Adobe for responding quickly!
Note. Although the crooks can, and do, change their malware payloads at any time, the attacks currently [2015-01-26T07:00Z] associated with these zero-day threats seem to be a malware family called Troj/Bedep by Sophos products, delivered by an exploit kit component from the family Troj/SwfExp. The Angler exploit kit that is reported to have been used to deliver the Flash payloads is variously detected using the family names Mal/ExpJS and Troj/JSRedir.