What exactly happened with Shockwave Flash?
It was working fine, and I'd just updated it earlier this past week, but now it's blocked and the update section says -every- version is vulnerable? Seriously, what happened? And more importantly, how long is it going to take for this to get fixed, and how are we going to know when adobe has the issue fixed? I use only a handful of websites that use flash at all, and I trust them, but still, I dunno that I wanna risk it with flash on the fritz. How did this even end up being detected, anyway?
所有回复 (16)
If you search for Hacking Team you will learn about a disclosure of previously unknown exploits for Flash. Adobe has admitted the problem and promised updates for later this week:
https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
Meanwhile, Mozilla has soft-blocked the latest version of the Shockwave Flash plugin. Therefore, you need to activate it on sites you trust to use it instead of being able to set Firefox to let all sites use Flash automatically.
If you are not accustomed to using the "Ask to Activate" feature for a plugin, here's what to expect:
When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.
If you see a good reason to use Flash, and the site looks trustworthy, you can go ahead and click the Lego-like icon in the address bar to allow Flash. You can choose to allow it for now or permanently.
But some pages might be using Flash only for tracking or playing a video ad. If you don't see an immediate need for Flash, feel free to ignore the notification, it will just sit there in case you want it later.
jscher2000 said
If you search for Hacking Team you will learn about a disclosure of previously unknown exploits for Flash. Adobe has admitted the problem and promised updates for later this week: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Meanwhile, Mozilla has soft-blocked the latest version of the Shockwave Flash plugin. Therefore, you need to activate it on sites you trust to use it instead of being able to set Firefox to let all sites use Flash automatically. If you are not accustomed to using the "Ask to Activate" feature for a plugin, here's what to expect: When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page. If you see a good reason to use Flash, and the site looks trustworthy, you can go ahead and click the Lego-like icon in the address bar to allow Flash. You can choose to allow it for now or permanently. But some pages might be using Flash only for tracking or playing a video ad. If you don't see an immediate need for Flash, feel free to ignore the notification, it will just sit there in case you want it later.
Hey Jscher. Thanks for the prompt reply. The few sites I use that use Flash are ones I do generally trust, but if it's going to be fixed later in the week, I think I can wait for the update. Primarily, I use it for youtube and crunchroll to watch videos. The only other site that I know that uses it is a fiction website (I'm not entirely sure why though.) which I am a member of. So basically, if I want to use Flash, I just flick the red lego block and click allow now, rather than allow and remember, correct?
Incidentally, how will we know when they've put out the fix? I'm still on the XP machine at the moment (the 7 pro laptop is still yet to arrive), so I'm going to need said fix when it comes out until I can get the new machine. Will firefox keep us updated on when the fix is out, or what?
由Marc7于
Yes, "Allow now" is how I do it myself.
Regarding the next update, someone may go around posting in all the various threads but, if not, you could periodically check this page: https://www.adobe.com/products/flashplayer/distribution3.html (it will be the download for "plugin-based browsers")
jscher2000 said
Yes, "Allow now" is how I do it myself. Regarding the next update, someone may go around posting in all the various threads but, if not, you could periodically check this page: https://www.adobe.com/products/flashplayer/distribution3.html (it will be the download for "plugin-based browsers")
Okay. That makes some sense. I would assume that the plug-in manager will likely be updated as well? That's how I usually get my updates for flash player, by checking the plug-ins to see if they're up to date when I get a message saying it's out of date, and then just clicking on the 'get update' button.
由Marc7于
It will be updated, but I'm not sure whether it indicates the new version number available on that page, or whether you just have to click and see.
jscher2000 said
It will be updated, but I'm not sure whether it indicates the new version number available on that page, or whether you just have to click and see.
I don't think it's ever shown the number of the new version anytime I get the prompt from Firefox to update. It just says there's an update available and then I click the button that sends me to the adobe site, which usually lists the new version number in the file when it prompts me to download or run the file.
I am running Adobe 18.0.0.203 which is the latest update but when I go to check whether my plug ins are up to date it says to update my Adobe. Makes no sense to me as to why it is telling me it is out of date when I have the newest installed.
new_aged2perfection said
I am running Adobe 18.0.0.203 which is the latest update but when I go to check whether my plug ins are up to date it says to update my Adobe. Makes no sense to me as to why it is telling me it is out of date when I have the newest installed.
Check Jscher's first response to my question, he pretty much lays out what happened, so far as I can tell.
Marc7 said
new_aged2perfection saidI am running Adobe 18.0.0.203 which is the latest update but when I go to check whether my plug ins are up to date it says to update my Adobe. Makes no sense to me as to why it is telling me it is out of date when I have the newest installed.Check Jscher's first response to my question, he pretty much lays out what happened, so far as I can tell.
Thank you
cor-el said
http://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hacking-team-combine-with-java-0-day/ http://www.zdnet.com/article/two-further-critical-flash-zero-days-appear-from-hacking-team-breach/
On the subject of java, when I looked to see if I could update it, it seems that's blocked too. Same issue as with Flash, I presume?
there's an update to flash 18.0.0.209 available at https://get.adobe.com/flashplayer/ now.
philipp said
there's an update to flash 18.0.0.209 available at https://get.adobe.com/flashplayer/ now.
I saw that too. But is that the fixed version, or is it vulnerable too?
Marc7 said
philipp saidthere's an update to flash 18.0.0.209 available at https://get.adobe.com/flashplayer/ now.I saw that too. But is that the fixed version, or is it vulnerable too?
I'm sure Flash still has secret problems yet to be revealed, but at this point, Adobe hasn't confessed to any in this release, so Firefox is not blocking this version. (At least my Firefox isn't.)
yes, this fixed the vulnerabilities we were talking about before. https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
jscher2000 said
Marc7 saidphilipp saidthere's an update to flash 18.0.0.209 available at https://get.adobe.com/flashplayer/ now.I saw that too. But is that the fixed version, or is it vulnerable too?
I'm sure Flash still has secret problems yet to be revealed, but at this point, Adobe hasn't confessed to any in this release, so Firefox is not blocking this version. (At least my Firefox isn't.)
philipp said
yes, this fixed the vulnerabilities we were talking about before. https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
Thanks guys. I'll give it a shot and pray for the best. :)