Hello everyone,
Adobe Flash had a critical update (arbitrary code execution) for the month of March. All of the browsers listed below had multiple vulnerabilities (all arbitrary code executions except for Chrome) that were fixed. This post takes into consideration updates as of about a week ago – there may have been even more recent updates since then. Get updated as soon as possible.
1)Identifier
2)Vendor/Product
3)Product Version Affected
4)Date Released by Vendor
5)Vulnerability Info
6)Severity / Recommendation
APSB15-05
Adobe Flash
Win/MAC 16.0.0.30 and earlierLinux11.2.202.44 And earlier
3/12/2015
Arbitrary Code Execution
Critical: Priority 1/ Upgrade within 72 hours
41.0.2272.101
Google Chrome
Win/Mac/Linux before 41.0.2272.101
3/19/2015
Denial of Service, Security Bypass, Information Disclosure,
Update at admin’s discretion.
36.0.4/ESR 31.5.3
Mozilla Firefox
Before 36.0.4/31.5.3
3/20/2015
Arbitrary Code Execution, Privilege Escalation
Update as soon as possible
2.33.1
Mozilla SeaMonkey
Before 2.33.1
3/20/2015
Arbitrary Code Execution, Privilege Escalation
Update as soon as possible
8.0.4/7.1.4/6.2.4
Apple Safari
Before 8.0.4/7.1.4/6.2.4
3/17/2015
Arbitrary Code Execution, Denial of Service,
Update as soon as possible
Best wishes,
Randy Knowles
9:18 am on April 20th, 2015 1
Recent third party patches:
1) Google Chrome has a major update to 42.0.2311.90 on April 14, with many changes.
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
After months of weaning users away from NPAPI support for security, this version (42) finally disables NPAPI support by default. So if some of your plugins stop working (e.g. Java, Shockwave Player, others), you may want to learn how to temporarily re-enable them via this flag:
chrome://flags/#enable-npapi
Note, the drop dead date is September 2015 (version 45), when NPAPI support will be removed – and this override will no longer work.
http://www.chromium.org/developers/npapi-deprecation
http://www.theregister.co.uk/2015/04/14/google_java_chrome_42/
http://java.com/en/download/faq/chrome.xml
2) The latest Flash Player is 17.0.0.169 for most browsers.
http://www.adobe.com/software/flash/about/
P.S. If you use Chrome, you re-enabled NPAPI support, AND you manually updated Flash (e.g. for other browsers like Firefox), remember to specifically disable the NPAPI Flash Player plugin in Chrome, so only one Flash plugin is running, to avoid instability.
chrome://plugins
P.P.S. I notice that the buggy behavior in displaying the plugins page has cropped back up & worsened in this version. So, if your page/list of plugins seems incomplete/cut off, toggle the “+Details” link at the top right, until you get the full list (i.e. so you see the vertical scroll bar). However, if you scroll down and AGAIN lose control of the page (e.g. won’t scroll, so you can’t go further down nor go back up to the “+Details” link), then refresh the page to “fix”. Sigh ….
3) Java JRE goes to 8u45 (1.8.0_45-b14) on April 13
http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html
4) Firefox has a major update to 37.x (currently 37.0.1 on April 3)
https://www.mozilla.org/en-US/firefox/37.0.1/releasenotes/
9:32 pm on April 23rd, 2015 2
Add one more:
5) Adobe updates Shockwave Player to 12.1.8.158 (installers dated April 20). And yes, this is an NPAPI plugin.
https://www.adobe.com/shockwave/welcome/
Adobe doesn’t issue Security Bulletins for Shockwave Player updates as frequently as for Flash Player updates. BTW, here is the April 14 Security Bulletin for the Flash Player update:
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
https://helpx.adobe.com/security.html
9:40 pm on April 23rd, 2015 3
Thanks much WL. Way to stay on top of things. Third party updates are a true pain in the behind!
Randy Knowles