Adobe Flash Zero-Day Under Attack

[Batu69]

A zero-day vulnerability in Adobe’s ubiquitous Flash Player software is being exploited to launch malware attacks, the company warned in an advisory issued today.

 

The vulnerability, rated critical, will not be patched until May 12th.

The company credits Genwei Jiang of FireEye, Inc. with discovering the flaw, which provides an indication that it is being used in targeted attacks.

 

According to Adobe, the vulnerability is present in Windows, Mac OS X, Linux and Chrome OS.

 

From the Adobe advisory:

 

A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12.  

 

Separately, Adobe issued a patch for three different vulnerabilities in the ColdFusion application server platform.

The company said the flaws could expose users to cross-site scripting, input validation and host name verification attacks.

Adobe also issued a massive patch rollup for the Adobe Acrobat and Adobe Reader product lines. 

 

Article source

[vibranium]

Just fixed in latest 21.0.0.242

 

http://www.nsaneforums.com/topic/268538-adobe-flash-player-2100242-final/

 

[Jogs]

Flash isn't Flashy anymore. 
 

[Reefa]

Adobe has updated Flash Player for Windows, Mac and Linux to address a total of 25 vulnerabilities, including a zero-day that has been exploited in the wild.

 

Flash Player 21.0.0.242 and 11.2.202.616 patch type confusion, use-aftre-free, buffer overflow, directory search path, and various memory corruption vulnerabilities that can lead to arbitrary code execution.

 

The flaw that has been exploited in the wild, CVE-2016-4117, is a type confusion reported by Genwei Jiang of FireEye.

 

This is not the first time the security firm has reported Flash Player zero-days to Adobe. Last year, the company observed unpatched Flash vulnerabilities being used by the Pawn Storm and APT3 cyber espionage groups. In April, FireEye and the French researcher Kafeine reported a zero-day leveraged by cybercriminals in the Magnitude exploit kit.

 

In the advisory published on Thursday, Adobe also credited researchers from Microsoft, Pangu LAB, Google, Tencent, CSIRT.SK and NSFOCUS for reporting the vulnerabilities resolved with the latest Flash Player update.

 

While Adobe’s pre-notification advisory only mentioned CVE-2016-4117, an advisory published by Microsoft on the same day for Flash library updates for Internet Explorer and Edge showed that a total of 25 flaws would be fixed.

 

Microsoft also patched a vulnerability this week that had been exploited in the wild before a fix was released. Researchers discovered that attackers leveraged vulnerabilities in the JScript and VBScript scripting engines in Windows (CVE-2016-0187 and CVE-2016-0189) to target Internet Explorer users in South Korea.

 

This week, Adobe also released updates for Reader, Acrobat and ColdFusion to fix nearly 100 vulnerabilities.

 

source

[Batu69]

Thread merged.