Just like Flash exploits, it seems that Flash exploit stories come along in bunches, too, like those pesky buses you wait for.
No sooner had we written about Facebook’s new CSO’s weekend “Death to Flash” tweet…
…than an eagle-eyed Naked Security reader pointed us at a tweet from someone going by @MarkSchimdty, who seems to be something of a anti-Flash hacktivist, considering the photo accompanying his tweet:
BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now.
Not in my Flash in my Firefox, as it happens – with Flash set to “Always ask,” Firefox asked and then used Flash if I agreed.
But the facts behind the histrionics seemed to sort themselves out when I tried Abobe’s own Flash Tester (yes, I used click-to-play):
The latest update presumably fixes the vulnerabilities dubbed CVE-2105-5122 and CVE-2015-5123, announced earlier this week in Adobe’s APSA-15-04 security advisory:
These two security holes are yet more fallout from the data exfiltrated and dumped publicly when Italian security company Hacking Team was breached recently.
Interestingly, when I went looking I must have been a touch ahead of Adobe, because the above mentioned 220.127.116.11 Flash version wasn’t listed amongst the recent security communications:
And .209 wasn’t offered as an update, at least in my part of the world, when I manually asked Flash to check [2015-07-14T13:37Z](*):
But it was there when I went to Adobe’s Flash Player Distribution page, where holders of an Adobe Flash Player Distribution License Agreement can download foistware-free installers of the latest Flash product to deploy across their own networks:
Er, that’s it…there’s a critical Flash update.
If you have Flash, try to get it as soon as you can.
You may need to go digging on your own account, instead of waiting for Flash’s own updater to get round to you – Adobe understandably doesn’t push out automatic updates to every user in the world at the same time.
(If you have a browser with a built-in Flash version, you may have to wait, but at least you know to expect the new 18.104.22.168-flavoured release.)
Let’s hope the eager-beavers who have been digging through the Hacking Team debris have now found all the Flash hacks that were awaiting discovery!
(*) Yes. It really WAS 1337 UTC when I checked. I didn’t make that up 🙂