Yet another Adobe Flash patch is out:
Here is where they are all located: http://helpx.adobe.com/security.html
Yesterday 2 patches (fixing vulnerabilities found) were released
http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.”
http://helpx.adobe.com/security/products/flash-player/apsb15-02.html
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform. ” Priority 2 or 3 depending on platform
You can see that there is no prescribed date for these patches, since unlike Microsoft Adobe has decided to create patches for vulnerabilities as they come out (especially for critical vulnerabilities.
In case you don’t know Microsoft has decided some time ago to make the 2nd Tuesday of the month patch Tuesday. (which was January 13th this month)
So these patches are considered “out-of-band”. because of the large concentration of Microsoft devices this 2nd Tuesday planning for installing new patches has become an industry standard, although that may be changing.
Look at the platforms and versions for Adobe Flash:
| Product | Affected versions | Platform | Priority rating |
|---|---|---|---|
| Adobe Flash Player Desktop Runtime | 16.0.0.257 and earlier | Windows and Macintosh | 2 |
| Adobe Flash Player Extended Support Release | 13.0.0.260 and earlier | Windows and Macintosh | 2 |
| Adobe Flash Player for Google Chrome | 16.0.0.257 and earlier | Windows, Macintosh and Linux | 2 |
| Adobe Flash Player for Internet Explorer 10 and Internet Explorer 11 | 16.0.0.257 and earlier | Windows 8.0 and 8.1 | 2 |
| Adobe Flash Player | 11.2.202.429 and earlier | Linux | 3 |
The landscape is fragmenting with more people running mobile Operating systems, although the 2nd Tuesday patch timing may be with us security folks for some time to come.
Of these 2 vulnerabilities, the first one (apsa15-01) has a critical nature to it. If you do click on malware or run across a website that takes advantage of the vulnerability your machine will run whatever the criminal hacker has in store for you. (viruses, ransomware, key loggers, adware, or something new)
this is the message for cryptolocker2.0 ( a client was unfortunate to have encountered this) lost most files…
Right now Cryptolocker3.0 is the bad guy on the block, so if you have an old version of Adobe Flash, then you are susceptible to getting hacked and then all your files will be encrypted. How about having to pay for getting the “right to use your files” to the tune of $500. And sometimes that is not even in the cards, as the anonymous methods of payment do not always work. It is also curious… the criminal hacker does not have tech support in case his decryption method or payment method does not work. So pretty much you better have a backup of your files. Otherwise you can start from scratch to rebuild stuff.
the payment and contact is through I2P an anonymous network, making it very difficult for authorities to catch these criminals.
So yes the patches do matter – when will you patch?
There are of course more than just the Adobe Flash “out-of-band” patches:
Oracle came out with its patch rollup:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html the POODLE fix is in here, there are many(169) software patches for different versions of Oracle Products.
“This Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.”
Google paid $88.5k in bounties as security researchers found flaws in Chrome. So version 40 is now here. Patched 62 security flaws.
http://www.esecurityplanet.com/browser-security/google-pays-big-bug-bounties-in-chrome-40-fix.html
Here is an interesting paragraph:
“In contrast, Microsoft has yet to provide a single security patch for its Internet Explorer browser in 2015, while Mozilla’s Firefox 35 had nine security advisories attached to it.”
I am sure there is more coming for Microsoft on February 10th (2nd Tuesday)
If you only have a certain number of resources then be judicious of which patches to implement first, like the critical nature patches which can take over your machine.
So my headline of Patches, “I don’t need those stink’ patches” (stems from movie: Blazing Saddles) is of course the opposite of what needs to be done. The trick is to implement correctly, test the patch in your environment and then implement to production systems in a reasonable amount of time.
In the meantime… be careful out there.
1 thought on “Patches? “We don’t need those stinkin’ Patches””