

CVE-2015-0311 – Adobe Flash Player Remote Vulnerability - guiambros
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0311

======
fjarlq
Chrome users: keep in mind that the builtin "click to play" is not actually a
security boundary:

[https://crbug.com/174963](https://crbug.com/174963)

Therefore the recommendation, if you can't disable Flash entirely, is choose
"Block by default" in Chrome's plugin settings so that you have to right-click
and "Run This Plug-in" when you really want Flash to play. You can still
whitelist if you want.

~~~
vinhboy
Ahh crap. Thanks for this. I did not realize click-to-play was so pointless.

~~~
cm2187
Me too. I am every day more appalled by the lack of security of browsers. That
being said, logically, if you also have javascript disabled, I presume click-
to-play should be secure.

------
medecau
Disabled ALL plugins on Chrome about a month ago and barely noticed any
change. Seriously advice everyone in favor of disabling all plugins now.
[Edit] chrome://plugins/

~~~
MichaelGG
When I switched to Firefox from Chrome, Flash didn't come with it, and I left
it like this. In the very rare case, I pop open IE or Chrome. Works great!

~~~
fpgaminer
Agreed. Oddly enough, one of the only website I have to open Chrome (which has
Flash installed) for is ... Google Music. It has an HTML5 setting, but that
seems to do nothing.

~~~
wjoe
As far as I know, the HTML5 option for Google Music does work in most
browsers, but not Firefox.

Apparently this is because it needs MediaSourceExtensions with HTML5 MP3
support, neither of which are in Firefox currently -
[https://bugzilla.mozilla.org/show_bug.cgi?id=911837](https://bugzilla.mozilla.org/show_bug.cgi?id=911837)

------
carey
Apparently(1) EMET prevents this Flash vulnerability from working. Might be
time to install it from (2) with the extra "Popular Software" settings on your
own PC and any you control.

(1)
[https://twitter.com/SwiftOnSecurity/status/55846182290312806...](https://twitter.com/SwiftOnSecurity/status/558461822903128065)

(2) [https://technet.microsoft.com/en-
us/security/jj653751](https://technet.microsoft.com/en-us/security/jj653751)

~~~
maratc
"InfoSec Taylor Swift" (@SwiftOnSecurity) is a parody account, and I wouldn't
trust it on whether EMET prevents this vulnerability or not. Not saying that
it doesn't, just that we'd need more serious sources on that.

~~~
NamTaf
Swift on Security tends to be surprisingly on the pulse with respect to this
sort of stuff. Of course check a second source but don't write Tay Tay off
right away!

I'd love to know who runs it.

~~~
Asparagirl
It's not too hard to figure out. He/she's on Twitter and admits that he/she
hasn't been great with the OpSec. :-)

------
guiambros
Note: under Windows, Chrome will install Flash by default, so it's not enough
to uninstall the standalone Flash Player. The latest Chrome has Flash
16.0.0.287, which _is vulnerable_.

If you use Chrome, and want to be safe, go to about:plugins, and disable it
manually.

Under Linux the latest is 15.0.0.223, which is not vulnerable (but I'm using
Chrome 40.0.2214.10 beta, so YMMV).

~~~
pmontra
I thought that the latest Flash for Linux was 11.2. Where did you get v 15
from? Thanks.

~~~
tombrossman
I think it was the version bundled with Google's Chrome browser being referred
to, and not the standalone Adobe Flash Player for Linux, which is quite old
now.

~~~
experimental-
It isn't actually very old – not much older than current releases on other
supported platforms, because quite often security bugs affect it as well, and
Adobe updates it as well.

Adobe has promised to support the NPAPI Linux plug-in for a few more years
(IIRC till 2017). It doesn't get any new features, but security issues will be
fixed, usually at the same time as on other platforms.

------
tux
NOTE: Adobe Flash Player 11.2 will be the last version to target Linux as a
supported platform. Adobe will continue to provide security backports to Flash
Player 11.2 for Linux.
[http://i.imgur.com/A5IFIBF.png](http://i.imgur.com/A5IFIBF.png) Source:
[http://get.adobe.com/flashplayer/](http://get.adobe.com/flashplayer/)

~~~
experimental-
Note that Google provides newer versions of Flash player for Linux with
alongside Chrome. That version works on any browser that supports the Pepper
plug-in interface (currently Chrome/Chromium (+forks)/Opera/? – and not
Firefox).

------
616c
And what is funny is that I noticed this morning some users with admin privs
(long story) were ahead of my already delayed patching schedule (I am not in
the US). Adobe has a distribution page for companies to deploy Flash and other
stuff internally with "enterprise-y" installers, and I had to refresh until
like mid-afternoon local time to see 16.0.0.296 and wondered if it was
laziness or rushing.

Well, question answered.

------
eslaught
Following on from
[https://news.ycombinator.com/item?id=8942395](https://news.ycombinator.com/item?id=8942395),
is Firefox affected when click-to-play ("Ask to Activate" in Firefox
terminology) is enabled?

------
rustyconover
Shame on you Adobe! Yet another hole in Flash, isn't it time to pack up your
tent and move onto the dust bin of history?

Furthermore it's more shameful to release an update for the manual update
users two days after the automatic update users get it. Get over yourselves
already. This is already being exploited, push fixes out faster or atleast at
the same time.

Steve Jobs was so right.

~~~
click170
They are certainly not going to bin themselves, we have to do it for them.

Uninstall flash, and refuse to reinstall it. And see if your nontechy friends
and relatives will let you do the same to protect them as well.

There are a lot of sites that have multiple streaming options, but when flash
is installed it's what they default to.

~~~
testrun
And are you going to bin Apple and Microsoft too? Not going to use USB? Not
going to DNS? What hardware and software do you use that had no security flaws
in the last year?

~~~
dandelion_lover
This is not the point. When you definitely can do something, you should do it.
Other problems should not distract you from removing this particular software.

