Security → Flash Security Update on Thursday per article

»threatpost.com/emergency ··· /117219/

quote:

---

Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.

Adobe said the vulnerability is in version 21.0.0.197 and earlier for Windows, Mac OS X, Linux and Chrome OS.

---

"A critical vulnerability exists in Adobe Flash Player 21.0.0.197 and earlier versions"

"Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier"

"A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later"

»helpx.adobe.com/security ··· -01.html
-------------------------------------
seems confused, doesn't it?

Adobe could use some lessons in how to write more clearly.

There was a "mitigation" in 21.0.0182. Meaning lessening in severity or intensity any attack on this vulnerability. The mitigation doesn't apply to Windows 7 and XP running earlier versions of flash such as 200 .0.306 and before.

The patch coming Thursday is not a mitigation but a full fix for all versions running on various Windows.

That's what I think Adobe is trying to say.

No quotes necessary. Actual mitigating code, not pretend.You mean version 20.0.0.306. Regardless, it cant possibly apply, because the mitigation didn't exist yet in 20.0.306 - as it clearly states, the mitigation was introduced in 21.0.0.182.

It also doesn't apply to ANY earlier version of Flash on ANY version of Window. Windows 7 and XP don't get special versions of Flash.

Adobe's mention of 7/XP are in regards to reports of exploitation (not vulnerability or mitigation - All Windows version are vulnerable):

"Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier."

The vulnerability exists on all versions of Flash prior to 21.0.0.197. It is mitigated in 21.0.0.182 and later. Period. (regardless of Windows version)

XP is too old to be concerned with and the only other would be Vista. You are splitting hairs. Your explanation is even more difficult than Adobe's to make sense of.

Plus, why is adobe patching the current version (that everyone should have) if the vulnerability exists only on earlier versions? Why are you claiming all versions of Windows including non supported versions like Windows 98 and even the current version of Flash is vulnerable? You are not making sense.

Adobe stated that the exploit is mitigated in 21.0.0.182 and later. While mitigated does mean that those users are essentially protected for now, mitigated does not mean fixed. Meaning, the bad guys could potentially make modifications to their exploit code to get around the mitigation. Mitigation is some form of protection, indeed. But not entirely the same as fully patched/fixed code. Hopefully that helps clarify a bit. At least, that is my understanding and opinion. Cheers!

Adobe releases bulletins for the patch scheduled for tomorrow:

• »helpx.adobe.com/security ··· -01.html

• »blogs.adobe.com/psirt/?p=1330
note updated Adobe PSIRT entry

Might want to inform Microsoft, since they are patching it until April of 2019. Or Adobe, since they still provide Flash (AIR/Reader/Etc) for XP. Or Mozilla..etc etc ad nauseum.

»www.netmarketshare.com/o ··· ustomd=0

11% Market share. "Too old to be concerned with"?I'm sure Adobe feels the same way:

"Revisions

April 6, 2016: Expanded the Windows Operating Systems targeted by the exploit for CVE-2016-1019 to include all versions (Windows 10 and earlier). This advisory previously referenced only Windows 7 and XP. "

All Windows versions.

Not feeling after all. Reason. Not like you at all.Perhaps because its more logical. Would help if you understood basic logic, let alone basic security terminology and concepts (i.e. "mitigation").Directly from the bulletin: "A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS"

Guess what the current version is? 21.0.0.197 (Though Chrome is making 21.0.0.213 available now through component updating)

Try logic (and well, some security education), it works.

Too much time at emotionally hyperbolic grc.com...

?????You just repeated what I already said.

Maybe you should learn how to NOT obsfucate. I replied to someone who was confused. I replied in layman's language. You were offended for some reason and proceeded to say the same thing in even cloudier language than Adobe's original language. Now you have said the same thing I said but made sure to make your comments very lengthy and not a bit logical or understandable. I said it in a way that was understandable.

I didn't reply to you so no sure why you decided to pick a silly fight.

Yes, your response was in fact...not a response...you probably even believe that.

You can always go back and edit or delete it...

Again, advice about hyperbolic emotionalism and lack of basic logic application and understanding of security terminology and processes still applies.

Patched here. You may use the official Adobe software viaCorrine 's Blog »securitygarden.blogspot. ··· yer.html

I'm running flash version 10.3.183.86 on the system I'm using right now to post this (Windows 98 with KernelEx, Firefox 2.0.0.20). I would love to try a proof-of-concept example of this vulnerability to determine if, indeed, "all previous versions of flash" and "all versions of windows" are vulnerable to CVE-2016-1019.