Adobe addresses new 'actively exploited' critical vulnerability in Flash, users urged to update
Yet another severe flaw in Adobe's much-maligned Flash Player has been discovered and is being "actively exploited," the company said on Tuesday, and users with Flash installed are being urged to upgrade to the latest version as soon as possible.
The flaw --?assigned CVE ID 2015-3113 -- affects Flash Player version 18.0.0.161 and earlier as well as Flash Player Extended Support Release version 13.0.0.292 and earlier on both Windows and Mac. In a security advisory, Adobe said it is aware of "limited, targeted attacks" exploiting this flaw, though known attacks are limited to Windows systems for now.
According to the National Vulnerability Database, CVE-2015-3113 is a "heap-based buffer overflow" which "allows remote attackers to execute arbitrary code via unspecified vectors."
Mac users with Flash installed separately should update to version 18.0.0.194. Those who have Flash Player's automatic update capability enabled --?or those who use Chrome, which ships its own version of Flash --?should have already received the patch.
Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu. Instructions for enabling automatic updates or manually updating Flash can be found here.
The flaw --?assigned CVE ID 2015-3113 -- affects Flash Player version 18.0.0.161 and earlier as well as Flash Player Extended Support Release version 13.0.0.292 and earlier on both Windows and Mac. In a security advisory, Adobe said it is aware of "limited, targeted attacks" exploiting this flaw, though known attacks are limited to Windows systems for now.
According to the National Vulnerability Database, CVE-2015-3113 is a "heap-based buffer overflow" which "allows remote attackers to execute arbitrary code via unspecified vectors."
Mac users with Flash installed separately should update to version 18.0.0.194. Those who have Flash Player's automatic update capability enabled --?or those who use Chrome, which ships its own version of Flash --?should have already received the patch.
Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu. Instructions for enabling automatic updates or manually updating Flash can be found here.
Comments
I only have it on my MBP, I keep it off Macs I work on, but it seems to require an update twice a week these days. It is pathetic that some major web sites still have no alternative to Flash for much of their content. The BBC, one of my favorite sites is a prime example of this Luddite attitude. I suspect that is the exact right phrase too!
How many times did we read titles like this?!
Every time is a black eye for Adobe. At some point (soon) they should retire the product.
Adobe needs to kill this lame technology, ASAP.
It will never die, because too many people see it as an industry standard. There is also an old guard of web designers that continue to use it...and websites that are fully functional and infrastructure built with Flash in mind. It is just not cost efficient to change all the backend design of websites. Flash is unfortunately here to stay for a long time.
I freakin hate Flash.
Every month there is a new explotable error.
I freakin’ hate OS X.
Every month there is a new exploitable error, sometimes twice a month.
I finally removed Flash from all my Macs a few months ago and so far haven't found a website where I really need it. I make use of Safari's Develop tab using the iPad User Agent. This gives me a non-Flash page that works 90% of the time. I just wish these websites would see I don't have Flash and automatically use HTML5. I know Flash is used for more than simple video but it's constant updating for security fixes makes it a product that should be removed from all computers because Adobe just can't secure it. I'm surprised a government agency or Congressman hasn't spoken out about this. Adobe must be paying Washington DC a bundle of money to leave it alone.
It will never die, because too many people see it as an industry standard. There is also an old guard of web designers that continue to use it...and websites that are fully functional and infrastructure built with Flash in mind. It is just not cost efficient to change all the backend design of websites. Flash is unfortunately here to stay for a long time.
This is the Navy's excuse for still using Windows XP and paying Microsoft a bundle of money to keep supporting it. What costs more to support old or non-secure software? The time it takes to retool or the time and cost it takes to continuously fix and patch software that isn't functioning properly or not supported by the manufacturer? Yes, a Model T still runs but you don't see more of them in a museum than on the road. Time to get with the 21st century.
It will never die, because too many people see it as an industry standard. There is also an old guard of web designers that continue to use it...and websites that are fully functional and infrastructure built with Flash in mind. It is just not cost efficient to change all the backend design of websites. Flash is unfortunately here to stay for a long time.
No, it isn't a standard anymore, and yes, it will die. A fuckload of websites have moved away from Flash the last few years, at least the competent ones. Any website that still requires flash will never get my business of my support, and makes me look at the people behind it in an extremely negative light. Yes, of course it costs to move away, but with the current environment of hundreds of millions of phones and tablets that do not support flash, which are often the primary computing device for people, anyone who DOESN'T think that is a worthwhile investment deserve to lose all their business.
[IMG ALT=""]http://forums.appleinsider.com/content/type/61/id/60312/width/350/height/700[/IMG]
You know what's worse than Flash? Adobe Air. A nasty, worthless abortion of a wannabe competitor to Java and C#, constantly asking for updates. At least few companies were dumb enough to use it, sadly Amazon selected it for its music apps.
1) uninstall Flash
2) let go of poorly crafted websites that use it for critical content
3) get used to a better and less cluttered web (this last step is a delight)
It's been some time now that anyone can live without Flash. It's no big deal.
I am sick of being asked to update Flash which seems to be every week!
I am not (well, not anymore). I removed it from my system. Yes, a few sites don't work without it. I found alternatives. Their loss, not mine.
No, it isn't a standard anymore, and yes, it will die. A fuckload of websites have moved away from Flash the last few years, at least the competent ones. Any website that still requires flash will never get my business of my support, and makes me look at the people behind it in an extremely negative light. Yes, of course it costs to move away, but with the current environment of hundreds of millions of phones and tablets that do not support flash, which are often the primary computing device for people, anyone who DOESN'T think that is a worthwhile investment deserve to lose all their business.
Even Adobe does not use Flash on their web site except on their download Flash test page. In terms of mobile devices they have Mobile Device Packaging for Flash which converts it to either an app or HTML5. Works really well. Flash Pro is a great platform for creating HTML5 content.
I don't have it on my MacBook. The only time I ever missed it was on the BBC news site. Today I had enough and deleted the BBC News bookmark and replaced it with another news site instead.
Bye bye BBC.