Adobe deploys emergency patch for Flash zero-day vulnerability

Discussion in 'Members News Depot' started by Spider, Apr 8, 2016.

  1. Spider

    Spider Super Moderator Staff Member

    Joined:
    Feb 3, 2015
    Messages:
    285
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Chicago, IL
    The vulnerability has recently been discovered in the Magnitude exploit kit.

    [​IMG]
    By Charlie Osborne for Zero Day | April 8, 2016 -- 09:26 GMT (02:26 PDT)

    Adobe has released an emergency patch to fix a zero-day vulnerability actively being exploited in the wild.

    [​IMG]
    On Tuesday, Adobe warned that users should expect an out-of-schedule update which patches the bug CVE-2016-1019, a zero-day flaw which affects Adobe Flash Player.

    Users of Windows, Mac, Linux and Chrome operating systems are affected by the security flaw, which "could cause a crash and potentially allow an attacker to take control of the affected system," according to Adobe.

    The zero-day flaw is a type confusion vulnerability, but it does have limitations.

    The exploit works against Adobe Flash versions 20.0.0.306 and earlier, but will only cause a crash rather than full system compromise with Flash versions 21.0.0.182 and 21.0.0.197 thanks to mitigation processes added by Adobe in these more recent versions.

    Microsoft Windows is being specifically targeted and cyberattackers are particularly interested in exploiting the Windows 10 operating system and earlier through this vulnerability.

    Adobe has now readied the emergency patch and has advised users to update immediately.

    According to researchers from Trend Micro, active attacks have been observed leveraging this vulnerability through the Magnitude exploit kit in drive-by attacks.

    This particular kit is linked to the Locky ransomware, malware which locks infected systems and demands payment in return for a decryption key which unlocks system files and content.

    This malware was reportedly used recently in attacks against the Methodist Hospital based in Kentucky, United States.

    Researchers at FireEye said:

    "This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications -- such as Internet Explorer/Edge and Flash Player -- change the game.

    Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach."
     
  2. GreyFox7

    GreyFox7 Super Moderator Staff Member

    Joined:
    Jul 27, 2014
    Messages:
    6,342
    Likes Received:
    1,279
    Trophy Points:
    113
    Anyone get this yet on Windows Update?
     
  3. GreyFox7

    GreyFox7 Super Moderator Staff Member

    Joined:
    Jul 27, 2014
    Messages:
    6,342
    Likes Received:
    1,279
    Trophy Points:
    113
    Still not seeing the update in Windows Update...
     
  4. Spider

    Spider Super Moderator Staff Member

    Joined:
    Feb 3, 2015
    Messages:
    285
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Chicago, IL
    And you probably never will. It's an Adobe update, not a Microsoft update. Click the link below, and follow the instructions in the "Mitigations" section. You need to update Flash to release 21.0.0.213 ASAP.

    Adobe Security Advisory
     
  5. GreyFox7

    GreyFox7 Super Moderator Staff Member

    Joined:
    Jul 27, 2014
    Messages:
    6,342
    Likes Received:
    1,279
    Trophy Points:
    113
    Well the Flash Player I have, was provided by Windows Update, dated March 8 2016 is 21.0.0.182 which includes a mitigation that prevents exploitation. https://support.microsoft.com/en-us/kb/3144756 March 10 2016.

    Interesting and curious, why would Microsoft not push this fix out since they have been pushing out previous Flash Player Updates? Although I assume the Windows Update versions only apply to Microsoft browsers IE and Edge and you'd still have to install it in other browsers yourself unless the other browser includes automatic updates for Flash... i.e. Chrome.
     
  6. Spider

    Spider Super Moderator Staff Member

    Joined:
    Feb 3, 2015
    Messages:
    285
    Likes Received:
    74
    Trophy Points:
    28
    Location:
    Chicago, IL

Share This Page