• New version of Flash – thwarts Cerber ransomware

    Home » Forums » Newsletter and Homepage topics » New version of Flash – thwarts Cerber ransomware

    Author
    Topic
    #44903

    Just in from CA: Ya might want to make your audience aware that Adobe has released new versions of Flash player today that supersede those released on
    [See the full post at: New version of Flash – thwarts Cerber ransomware]

    Viewing 32 reply threads
    Author
    Replies
    • #44904

      Strange If I download directly on the Adobe Site, it always download the 21.0.0.197 version. I go to this adress for downloading the 21.0.0.213 version:

      http://www.adobe.com/fr/products/flashplayer/distribution3.html

    • #44905

      I have IE-11 and Firefox on Windows 7 and it appears there’s a glitch at Adobe Flash’s update site?

      When I verify my version from either browser it shows that 197 is installed and out of date, but clicking on the “Update Now” button shows 197 as the version available for download instead of 213.

      Maybe we need to wait a while?

    • #44906

      The flash page says my version is out of date, but when i click the link it offers me the same late march version 🙁 firefox win7 64bit
      Chrome was already up to date automatically.

    • #44907

      Sounds like Adobe really screwed it up….

    • #44908

      4/7/16 7:15pm EDT The link posted…
      http://neurogadget.com/2016/04/07/adobe-flash-player-emergency-patch-address-critical-vulnerability/27858

      gives me a warning from Avast. (Multi tries)
      Object: http://neurogadget.net/ezoic/banger10.js?cb=90-0v=3PageSpeed=off line 1 > eval
      Infection: JS:Redirector-BXI [Trj]
      Process: C:Program Files (x86)Mozilla Firefoxfirefox.exe

      When I abort the connection from within the avast warning popup, it then connects to the news article. The URL appears exactly the same.

    • #44909

      The real question is… Why is anybody still using Flash?

      Honestly, ditch it and you’ll find you miss very little… unless you like daily security vulns and obnoxious pop-up ads…

    • #44910

      I get a 404 error when using your link for the Flash update. I was able to download by using the “check the version” site, and then navigating to download their latest and greatest.

    • #44911

      I updated Flash on Opera manually, and when I re-checked Firefox, it had updated as well.
      That leaves IE11 (and Edge?) unprotected.
      Maybe Tuesday?

      Windows 8.1 64 bit.

    • #44912

      The Adobe Security Advisory says this vulnerability does not affect Flash Player 21.0.0.182 or higher. Version 21.0.0.197 should be safe. Version 21.0.0.213 was only a cosmetic update.

      Windows 8.1 and Windows 10 users will not be updated for this vulnerability, as we are not the subjects of the advisory. Chrome is on a higher version, but as I noted elsewhere in this blog, the latest update is purely cosmetic, not a security update.

      The advisory is dated April 5-6, 2016, so its info should be regarded as current.

      The vulnerable versions of Flash Player were obsolete almost three weeks ago. Windows 10 users who allowed updates as of March 23, 2016 are safe.

    • #44913

      Bugger, finally got the right version and – “Installation failed”

    • #44914

      This is the Adobe page that I download Flash updates from:

      https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html

      Scroll to the bottom of that webpage to get the direct links to download the latest version of Flash.

    • #44915

      Try downloading the Flash Players again the next day.

      I just downloaded the Flash Players in late afternoon Pacific Daylight Time of April 7 and they’re version 21.0.0.213.

      If you’re using IE in either Win8.1 or Win10, you get no updates for Flash Player ActiveX for those OSes (maybe perhaps until April Patch Tuesday of April 12).

    • #44916

      My auto dealership uses Flash as part of the bling on the opening page. Since we’re done buying a car, no biggie. The major use left for Flash is the Weather Service radar loop. A few years ago, they replaced an even scarier Java application with Flash. I enable it to view the loop, then turn Flash back off.

      I’ve found the following URL to be sufficient to get the most current version:
      https://get.adobe.com/flashplayer/

      This downloads the 1.1MB installer which handles the rest of the load. I usually save a copy and run the copy, since it’s a destructive read. Used to have a lot of failures when I was seriously bandwidth impaired. (Dialup, or the World’s Worst Library Connection.)

    • #44917

      Guess you haven’t read the latest Adobe security Bulletin, APSB16-10, released late today, Thu 07 Apr:
      https://helpx.adobe.com/security/products/flash-player/apsb16-10.html

      By my count, 21.0.0.213 patches at least 23 CVEs, *including* the one at issue here, namely CVE-2016-1019. Hardly a “cosmetic update”.

      And contrary to your assertion, *both* the earlier advisory *and* today’s bulletin make it quite clear that this vulnerability affects, and is being exploited on, Win10 and *all* earlier Windows systems.

      That said, the bug does appear to be mitigated by changes made in 21.0.0.182. Nevertheless, it is *still present* in 21.0.0.197. Therefore, it might be exploitable using a clever modification of the technique(s) currently being used by the in-the-wild exploit.

      If so, you wanna bet that the bad boys won’t find it?

      So, no, you do *not* want to skip this one!

    • #44918

      It appears the “glitches” have been resolved.

      The latest version (213) is now available when checking & updating your version.

    • #44919

      Most likely a false positive from Avast, which in my experience is not all that uncommon.

      VirusTotal detection: 0/67

      (Interestingly, Avast is *not* one of the 67 programs on the test panel.)

      You should report the possible false positive to Avast. Only way they’re going to improve is if users hold them accountable for their failures, both false negatives *and* false positives.

    • #44920

      All due respect EstherD but rc primak was correct according to several articles I read, including the one published by PC World which states….

      “Fortunately the exploit for CVE-2016-1019 observed in the wild only worked against Flash Player 20.0.0.306 and earlier. Users who had Flash Player 21.0.0.182, released in March, were protected because the exploit doesn’t properly execute on this version and only results in a crash.”

      Full article here….
      http://www.pcworld.com/article/3053090/security/adobe-fixes-24-vulnerabilities-in-flash-player-including-an-actively-exploited-one.html

    • #44921

      I would love to ditch it. I am all ears on hints how to eradicate the POS from W8+ where it got bundled by MS’s infinite wisdom.

    • #44922

      Unfortunately sites out there still require it for specific software to work. Until they ditch flash you are at their mercy. I have it disabled by default in firefox and only enable it when needed.

    • #44923

      Microsoft Safety Scanner, which uses Wndows Defender definitions, is also flagging this common item found in browser caches. It’s not just Avast.

    • #44924

      You don’t stream videos of recent network TV broadcast programs, do you?

    • #44925

      I go one step further and bookmark the direct link to the PPAPI installer (that help page links to the full offline installers for Windows 7, by the way). I click the bookmark and it begins downloading, without having to load any Web pages first.

    • #44926

      Yes I do, but not often using Firefox. I also have it in the disabled state until I need to use it, and only temporarily for each use.

      Being 20 something in the 70's was so much better than being 70 something in the insane 20's
    • #44927

      With Chrome, according to the link provided, I’m now apparently using 21.0.0.216 so there appears to have been another update, although the link also shows the current version for Chrome as still being 21.0.0.213.

      Colour me confused!

    • #44928

      Same here.

    • #44929

      In both Windows (Chrome Stable Channel) and Linux (Chrome Beta Channel) I am on Flash Player (Pepper Flash) 21.0.0.216. All instances automatically update. Got mine ca. April 9-10, 2016.

    • #44930

      Try using the Flash Player Uninstaller, then run the installer again (may require a restart in between).

      https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

    • #44931

      Your focus is on the single active ransomware flaw, but there are 23 others.

      The article you linked says that Windows 8/10 will be updated for this.

      And the original Adobe Security Advisory was updated to include Windows 8/10.

    • #44932

      Again.

      And again… and again…

    • #44933

      Microsoft Security Bulletin MS16-050 has been published around noon time of April 12 pacific time that now contains links to update Adobe Flash Player for IE & Edge on Windows 8.1 and Windows 10 systems:
      https://technet.microsoft.com/library/security/MS16-050

      The updates are available as KB3154132 mentioned in Microsoft support KB article 3154132:
      https://support.microsoft.com/en-us/kb/3154132

    • #44934

      From Flash Tester.org
      ( http://flashtester.org/ ) :

      “April 11, 2016. I got confirmation from Google that for Chrome on Windows, version 21.0.0.216 is the latest and greatest. A spokesperson for the company emailed me that they made updates and minor bug fixes to version 21.0.0.213. This despite all the Adobe documentation that says the latest version for Chrome is 21.0.0.213.”

      “April 12, 2016. Google has made minor bug fixes to Flash so that Chrome on Windows, OS X and Chrome OS is newer than other browsers on those systems.”

      From Me:
      Very few details anywhere I’ve looked, but apparently the Chrome PPAPI plugin was again having some video rendering issues. This happened before with an earlier release of this version 21 series PPAPI plugin flash player for Chrome. So Chrome is out of step with all other browsers, on every operating system, including Mac, Linux and ChromeOS.

      Chrome Flash Player should update itself automatically, and this should result in a new Chrome Browser version being automatically installed.

      Everyone else should by now be on Flash Player Version 21.0.0.213, except Linux (Firefox only) and Solaris users.

    • #44935

      Got the MSU standalone installer from the Microsoft Updates Catalog. Used IE 11 under Windows 10 Pro to do the download. Ran perfectly in both my devices.

    • #44936

      Duly noted. Thanks.

    Viewing 32 reply threads
    Reply To: New version of Flash – thwarts Cerber ransomware

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: