Flash plugin 0-day vulnerability in the wild

Antonio Trande anto.trande at gmail.com
Fri Jan 23 16:01:02 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2015 04:29 PM, Daniel J Walsh wrote:
> 
> On 01/23/2015 10:25 AM, poma wrote:
>> On 23.01.2015 15:12, Kevin Fenzi wrote:
>>> On Fri, 23 Jan 2015 12:44:23 +0100 poma
>>> <pomidorabelisima at gmail.com> wrote:
>>> 
>>>> On 23.01.2015 10:51, Martin Stransky wrote:
>>>>> Folk,
>>>>> 
>>>>> There's a live 0-day flash vulnerability which is not fixed
>>>>> yet [1][2]. If you use flash plugin I recommend you to
>>>>> enable the click-to-play mode for it.
>>>> Are we covered with $ rpm -q flash-plugin 
>>>> flash-plugin-11.2.202.438-release.x86_64 ?
>>>> 
>>>> Ref. http://helpx.adobe.com/security.html
>>> No.
>>> 
>>> http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
>>>
>>>
>>> 
kevin
>>> 
>>> 
>>> 
>> Thanks for reference.
>> 
>> Until this is resolved, is this a valid way: $ sandbox -X -T tmp
>> -t sandbox_web_t firefox to cover this security issue, or can we
>> isolate only libflashplayer.so, not the entire browser.
>> 
>> Daniel, can you comment.
>> 
>> 
> libflashplayer.so runs within the Mozilla-plugin I believe. If so
> it would be confined if you have not turned on the
> unconfined_mozilla_plugin_transition boolean.

Therefore unconfined_mozilla_plugin_transition boolean must be 'off'.

> 
> If this is the case we are somewhat protected, and of course  you
> run with setenforce 1.
> 
> sandbox -X will also add more protection.
> 

- -- 
Antonio Trande

mailto: sagitter 'at' fedoraproject 'dot' org
http://fedoraos.wordpress.com/
https://fedoraproject.org/wiki/User:Sagitter
GPG Key: 0x66E15D00
Check on https://keys.fedoraproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUwnA6AAoJEFyovWBm4V0A5dIQAJyiby8TeGwU/dcJtmeklbYB
Rh/YM0tScPAUovYyBu1EqncVtCLh2QaHwUNCiEl8+KglTXwV3ckkAT3ywq6oO5eA
d/6fzS5+vO5TD9USwlc8jArQlF3kHc2sxCLBFCGE4ersqKrhn1VmwOV58XYGMwh/
/apwfS+R6IdPYoDthPBfzBVJicQJknbWH9djsUEejPeuXHKfZbSk2iaLlsJt7Qc5
HDeWyZB7W72/TVaawjl5HwDeMQt4185qXGRM6CN/FZDHfUNkmTU8aaGGMfjTZFD+
JQphaGy34CVf9GZ6/pTrTBBMRwCfSKyIMyAFjpOzOePdRbjYW72wol+RzFr8SfcV
Wg6O6bRm4Yq18FiapSvVRYATUnd+lBfB+LlbQXb2COJVbNh1QJ9h+0AgyPvF6kGI
1OObbIgdpAQTqPI6vADB3ChSMiqqzMVvExpXJQ64pe70zHddQoh9yy7rF1jC9+pi
wLbQPDsmnzixso46u3xy6z06qOrCu6yBnPaH8TqKry3JWPIbxNXKy5W6M11XYgwr
FI7R5Jhe5DKS3WshSwQRGhvRTN2CyerValwPKAkXzR1QdnHmqcK0dzvOwDJN0zjm
lzofy1f0q2cOs/+qmVUuBMQ3vq6gnXaTCdKJCeS6F2bTlcIyLSEA1R6XpAmnOjEN
WBabI9nhJzkvrm7nZHqY
=Roc2
-----END PGP SIGNATURE-----

More information about the devel mailing list