Adobe Patches Actively Exploited Zero-Day Flaws in Flash Player
On Tuesday, Adobe released a security advisory warning of a critical vulnerability (CVE-2016-1019) in Flash that is being exploited in the wild. The advisory claimed that the flaw exists in Flash Player 220.127.116.11 and earlier versions for Windows 7, XP, Mac, Linux and Chrome OS. Adobe updated the advisory later on to admit that Windows 10 is also among the operating systems being exploited by this zero-day flaw.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 18.104.22.1686 and earlier. A mitigation introduced in Flash Player 22.214.171.124 currently prevents exploitation of this vulnerability, protecting users running Flash Player 126.96.36.199 and later.
The vulnerability is a memory corruption flaw that can be exploited for remote code execution. The company has now released a Flash Player update to patch this zero-day vulnerability that has been leveraged by criminal hackers to deliver malware and ransomware on Windows 10 and earlier operating system versions. Proofpoint (one of the research firms responsible for detection of this previously unknown vulnerability) reported that the exploit has been used by hackers to deliver various threats, including Cerber and Locky ransomware, using the Magnitude exploit kit.
FireEye, another firm acknowledged by Adobe for detection of this flaw, said that some of the layout and functionality of this exploit is similar to exploits leaked in the Hacking Team data breach.
Adobe's Flash Player has already received three security updates this year, including an emergency patch that was released last month to patch 23 vulnerabilities, including an active vulnerability that allowed attackers to take control of the affected systems. February's patch had fixed 22 memory corruption flaws that could have been exploited for arbitrary code execution. Adobe has itself recommended developers to ditch Flash in favor of HTML5, but it seems unlikely that this bug-magnet will die anytime soon.
Users are advised to visit Adobe to install the updated versions of Flash Player on their Windows, OS X, Linux, and Chrome OS systems.