Amidst a flurry of calls to kill off Flash due to its continuous security woes, Adobe Systems has yet again unleashed a software update with patches for vulnerabilities affecting Flash Player. These updates patch two vulnerabilities and are available for Mac, Windows and Linux.
Affected software versions include: Adobe Flash Player Desktop Runtime 126.96.36.199 and earlier for Mac and Windows, Adobe Flash Player Extended Support Release version 188.8.131.522 and earlier, and Adobe Flash Player 184.108.40.2061 for Linux.
The security flaws addressed in Adobe's latest updates are described as follows:
- These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2015-5122).
- These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2015-5123).
These updates mark the third time this month Adobe has issued security bug fixes for Flash Player. It should come as no surprise that the “recent wave of critical vulnerabilities in Adobe’s Flash Player has prompted many security professionals to call for the much-maligned software’s demise,” wrote Shane Cole over at AppleInsider.
The humble route, of course, would be to apologetically state the pseudo-compassionate break-up line: "It's Not You, It's Me." Unfortunately Adobe, according to Facebook, Apple, Google and YouTube, maybe it IS you.
But can Flash be saved from a slow death? According to The Mac Observer's Jeff Gamet, not likely. Gamet wrote:
The root of the problem is security. Flash has so many major security issues that Adobe can't even find all of them, let alone patch all the flaws. Companies that sell exploits to governments for spying and surveillance love Flash because of its long history of security issues.
Hacking Team is one of those companies, and recently was the victim of a security breach where another serious Flash security exploit was revealed.
In response to the onslaught of Flash security issues this month, Mozilla also made headlines earlier this week when it announced it had blocked Adobe’s Flash by default on all versions of the Firefox web browser. However, despite calls to kill off Flash, this was not the final nail in the coffin, as confirmed in a tweet by Mark Schmidt, head of Firefox Support at Mozilla:
To be clear, Flash is only blocked until Adobe releases a version which isn't being actively exploited by publicly known vulnerabilities.
— Mark Schmidt (@MarkSchmidty) July 14, 2015
Mozilla's move to block Flash Player occurred two days ago, late Monday night. Just yesterday, only a day later, Adobe released its latest security fixes, addressing the publicly known vulnerabilities. And the updated Flash Player (version 220.127.116.11), once again, appears to work on Firefox. Flash lives to see another day. 🙂
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Adobe Flash Player 18.104.22.168 as soon as possible. Flash Player Extended Support Release users should update to version 22.214.171.1245. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Chrome version, which will include Adobe Flash Player 126.96.36.199 on Macintosh, Windows and Linux. Windows 8.x users running Internet Explorer 10 and 11 will automatically get the updated Flash version 188.8.131.52 as well.
In addition to patching Flash Player vulnerabilities, Adobe released security updates for Shockwave Player, which mitigates separate but critical flaws that could potentially allow an attacker to take control of the affected system.