Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Security Updates for Adobe Flash Player (APSB15-02)

Jan 22, 2015 2:09AM PST
Release date: January 22, 2015

Vulnerability identifier: APSB15-02

Priority: See Bulletin

CVE number: CVE-2015-0310

Platform: All Platforms

Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform.

Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.

Adobe recommends users update their product installations to the latest versions:

• Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.287.
• Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.262.
• Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.438.
• Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.287.

Affected software versions

• Adobe Flash Player 16.0.0.257 and earlier versions
• Adobe Flash Player 13.0.0.260 and earlier 13.x versions
• Adobe Flash Player 11.2.202.429 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution

Adobe recommends users update their software installations by following the instructions below:

• Adobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to Adobe Flash Player 16.0.0.287 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted.

• Adobe recommends users of the Adobe Flash Player Extended Support Release should update to version 13.0.0.262 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.

• Adobe recommends users of Adobe Flash Player for Linux update to Adobe Flash Player 11.2.202.438 by visiting the Adobe Flash Player Download Center.

• Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 16.0.0.287.

• Adobe Flash Player installed with Internet Explorer for Windows 8.x will be automatically updated to the latest version, which will include Adobe Flash Player 16.0.0.287.

For additional details (including Priority & Severity Ratings) see the Security Bulletin:
http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

NOTE: If using the Adobe Flash Player Download Center, please be aware of any pre-checked optional downloads. Flash Player will run properly without them.

* * * * * * * * * *
For additional information see: Flash Patch Targets Zero-Day Exploit

Discussion is locked

- Collapse -
Additional Links..
Jan 22, 2015 2:21AM PST

Flash Player - Downloads:
http://www.adobe.com/products/flashplayer/distribution3.html

Uninstall Flash Player | Windows:
http://helpx.adobe.com/en/flash-player/kb/uninstall-flash-player-windows.html
http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe ⇐ direct download

Flash Player FAQ:
http://www.adobe.com/products/flashplayer/faq.html

Note: Please be aware of any pre-checked optional downloads when updating. Flash Player will run properly without them.

- Collapse -
UPDATE: Security Advisory for Adobe Flash Player (APSA15-01)
Jan 22, 2015 10:04PM PST

The following was posted @ the Adobe Product Security Incident Response Team (PSIRT) Blog last night, after the Security Bulletin (APSB15-02) was published:

"A Security Advisory (APSA15-01) has been published regarding a critical vulnerability (CVE-2015-0311) in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26."

http://blogs.adobe.com/psirt/?p=1160

Note: When a patch becomes available it will be posted here.
___________________

Remaining information in Security Advisory (APSA15-01) :

Affected software versions

• Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
• Adobe Flash Player 13.0.0.262 and earlier 13.x versions
• Adobe Flash Player 11.2.202.438 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Severity ratings

Adobe categorizes this as a critical vulnerability.

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

- Collapse -
LATEST UPDATE: Advisory for Adobe Flash Player (APSA15-01)
Jan 25, 2015 2:09AM PST
Release date: January 22, 2015

Last updated: January 24, 2015

Vulnerability identifier: APSA15-01

CVE number: CVE-2015-0311

Platform: All Platforms

Summary

A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

Affected software versions

• Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
• Adobe Flash Player 13.0.0.262 and earlier 13.x versions
• Adobe Flash Player 11.2.202.438 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Revisions

January 24, 2015: Updated to include Flash Player version delivered via auto-update.

January 24, 2015: Updated to reflect reports that Windows 8.1 is also affected by CVE-2015-0311.

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
____________

NOTE: Flash Player 16.0.0.296 offline installers are now available https://www.adobe.com/products/flashplayer/distribution3.html
- Collapse -
UPDATE: Security Advisory for Adobe Flash Player (APSA15-02)
Feb 4, 2015 10:26PM PST
Release date: February 2, 2015

Last updated: February 4, 2015

Vulnerability identifier: APSA15-02

CVE number: CVE-2015-0313

Platform: All Platforms

Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

UPDATE (February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

Affected software versions

• Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh
• Adobe Flash Player 13.0.0.264 and earlier 13.x versions

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Severity ratings

Adobe categorizes this as a critical vulnerability.

Revisions

February 2, 2015 - removed Flash Player version 11.x from the list of affected versions. Version 11.x and earlier do not support the functionality affected by CVE-2015-0313.

February 4, 2015 - updated to include Flash Player version delivered via auto-update.

http://helpx.adobe.com/security/products/flash-player/apsa15-02.html

* * * * * * * * *
Also See:
Adobe Patches Flash Player Zero-Day Vulnerability
Adobe Begins Patching Third Flash Player Zero Day