What's new

Adobe deploys emergency patch for Flash zero-day vulnerability

Spider

Super Moderator
Staff member
The vulnerability has recently been discovered in the Magnitude exploit kit.


By Charlie Osborne for Zero Day | April 8, 2016 -- 09:26 GMT (02:26 PDT)

Adobe has released an emergency patch to fix a zero-day vulnerability actively being exploited in the wild.

screen-shot-2016-04-08-at-08-53-37.jpg

On Tuesday, Adobe warned that users should expect an out-of-schedule update which patches the bug CVE-2016-1019, a zero-day flaw which affects Adobe Flash Player.

Users of Windows, Mac, Linux and Chrome operating systems are affected by the security flaw, which "could cause a crash and potentially allow an attacker to take control of the affected system," according to Adobe.

The zero-day flaw is a type confusion vulnerability, but it does have limitations.

The exploit works against Adobe Flash versions 20.0.0.306 and earlier, but will only cause a crash rather than full system compromise with Flash versions 21.0.0.182 and 21.0.0.197 thanks to mitigation processes added by Adobe in these more recent versions.

Microsoft Windows is being specifically targeted and cyberattackers are particularly interested in exploiting the Windows 10 operating system and earlier through this vulnerability.

Adobe has now readied the emergency patch and has advised users to update immediately.

According to researchers from Trend Micro, active attacks have been observed leveraging this vulnerability through the Magnitude exploit kit in drive-by attacks.

This particular kit is linked to the Locky ransomware, malware which locks infected systems and demands payment in return for a decryption key which unlocks system files and content.

This malware was reportedly used recently in attacks against the Methodist Hospital based in Kentucky, United States.

Researchers at FireEye said:

"This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications -- such as Internet Explorer/Edge and Flash Player -- change the game.

Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach."
 
Well the Flash Player I have, was provided by Windows Update, dated March 8 2016 is 21.0.0.182 which includes a mitigation that prevents exploitation. https://support.microsoft.com/en-us/kb/3144756 March 10 2016.

Interesting and curious, why would Microsoft not push this fix out since they have been pushing out previous Flash Player Updates? Although I assume the Windows Update versions only apply to Microsoft browsers IE and Edge and you'd still have to install it in other browsers yourself unless the other browser includes automatic updates for Flash... i.e. Chrome.
 
Back
Top