Due to the recent stream of zero-day exploits of Adobe Flash, the concerns within the security community have reached a peak. This is a listing of some of the commentary going on around the net. You know my opinion. Here are some others:
Security news and education for the Mac computer community. Laugh at the FUD! Learn the facts about Mac security. ©2015 Derek Currie
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
These updates improve memory address randomization of the Flash heap for the Window 7 64-bit platform (CVE-2015-3097).
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431).
These updates resolve null pointer dereference issues (CVE-2015-3126, CVE-2015-4429).
These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114).I marked our pal, in-the-wild exploit CVE-2015-5119 in red. That's 36 security flaws patched in Flash and AIR. Yes, Flash (and therefore AIR) really is crap code. And no doubt, it has many more security flaws waiting to be exploited. I read an article last week claiming that Adobe Flash is now the #1 most dangerous software you can run on the Internet, surpassing awful Oracle Java plug-in. Astounding. It takes some seriously bad coding to surpass Java's horrendous security problems.
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119).
These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116).
From what we've seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.104.22.168.
. . .
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux.Security Advisory for Adobe Flash Player (APSA15-03)
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.Note: As of this posting, CVE-2015-5119 remains unlisted at CVE.Mitre.org. Therefore, I cannot provide a link to its description.
A) Use Chromium (of any flavor) instead. It does NOT include Flash. Everything else about it (except the default surveillance of your web behavior) is the same as Chrome.
B) Follow Google's instructions for turning OFF Flash in Chrome:After you've freed yourself from Adobe Flash, either stay that way (highly recommended) or keep an eye out of a new Adobe Flash update. Watch for a version of Flash higher than 18.0.0 194. That's the current bad version. Do not reinstall that thing again.
- Type chrome:plugins in the address bar to open the Plug-ins page.
- On the Plug-ins page that appears, find the "Flash" listing. To enable Adobe Flash Player, click the Enable link under its name. To disable Adobe Flash Player completely, click the Disable link under its name.
Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.
. . .
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2015-3113).At this point in time, the CVE's description, beyond what Adobe provides above, is blank. This happens while a developer is working to stop the CVE (Common Vulnerabilities and Exposures) and doesn't want to hand hackers any further clues to its exploitation.