Qualys Blog

www.qualys.com
wkandek

Update: Adobe to release patch for 0-day in Flash Player

Update: Adobe has released a new version of its Flash Player in APSB16-10. It addresses 22 critical vulnerabilities which can be used to gain code execution and 2 vulnerabilities that can be retrieve memory address information and to bypass a security feature. One of the vulnerabilities CVE-2016-1019 is currently being attacked in the wild in Exploit Kits.

This release is Adobe’s April Patch Tuesday release. We do not expected another release this month. You should patch as quickly as possible, especially on machines that are still running a pre-March version of Flash as these are vulnerable to CVE-2016-1019.

Proofpoint’s security researcher Kafeine describes how the Magnitude Exploit Kit uses the vulnerability and why you should update as quickly as possible.

Original: Adobe announced that a new version of their Flash Player is expected to be released this week. The new version will address CVE-2016-1019 a critical vulnerability that is currently being exploited in the wild.

If you are current with your Flash player patches you do NOT have to worry, though. If your users have the newest Flash player installed (v21.0.0.182 released on the last Patch Tuesday March 10, 2016, also a 0-day included by the way) they are immune against the current attack. One  of the mitigation techniques introduced in that version prevents the current exploitation.

You should install the new version anyway to prevent different attacks against the vulnerability and be on the latest and most robust version of Flash Player

Leave a Reply