Flash has been the top target for exploit kits and we have observed that defender behavior, i.e. how fast patches are applied along with other factors in the threat landscape could have led to a decline in the number of Flash vulnerabilities being weaponized in exploit kits. In 2016, the time to patch 80% of Flash vulnerabilities reduced by more than half to 62 days as compared to the previous year when it was 144 days. This data is based on more than 3 billion scans performed by Qualys and could be one of the contributing factors why Flash-based attack integration in exploit kits is declining. If organizations patch quickly it gives less time for exploit kits to integrate the exploits and the chances of phishing vulnerable users reduce greatly if more machines are patched quickly.
Adobe released five security bulletins today following a pre-notification which was released on Thursday of last week. Highest priority goes to the Flash update APSB17-10 as flash has been the top choice for malware and exploit kits. If left un-patched, the vulnerabilities allow attackers to take complete control of user’s computer if the user views malicious flash content hosted by the attacker. Although flash based exploit kit activity has reduced as compared to last year we still recommend updating this first. The affected versions are listed in the table below:
UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.
As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.
On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.
Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Since Flash vulnerabilities have a high potential of being weaponized in exploit kits, organizations should apply both the updates as soon as possible. A total of 13 vulnerabilities were fixed in the Flash update, while 29 were fixed in the Acrobat and Reader. If unpatched, flaws in both the bulletins can potentially allow attackers to take complete control of the affected system.
Adobe released nine security bulletins today in the December Security updates. The most notable update was APSB16-39 for Flash which fixed a 0-day vulnerability with exploits in the wild that is being used in targeted attacks. Adobe products including Flash and Acrobat PDF reader have long being targeted by exploit kits. In addition to the 0-day (CVE-2016-7892), 17 other vulnerabilities were fixed in Flash. This update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Other updates included in today’s release fixed Coldfusion (APSB16-44) , Robohelp (APSB16-46), Adobe Digital Editions (APSB16-45), InDesign (APSB16-43) , Experience Manager (APSB16-42) , DNG Converter (APSB16-41) and Animate (APSB16-38).
Adobe released APSB16-37 today which is an update to its Flash Player. APSB16-37 fixes nine privately disclosed vulnerabilities. Flash Player runtime for Windows, Mac, Linux as well as Chrome OS and browsers like Microsoft Edge and Google Chrome are affected. This patch comes two weeks after an emergency release on October 26 which fixed an actively attacked Flash Player issue.
Adobe released APSB16-36 today to fix one 0-day vulnerability in Flash. The vulnerability is currently being used in active attacks and therefore Adobe released this emergency fix. If left un-patched, attackers can remotely take complete control of the machine. The vulnerability (CVE-2016-7855) is triggered when the victim views malicious Adobe flash content. Usually innocent users end up with malicious flash content by clicking on bad links from e-mails, blogs, bulletin boards and other sources.
Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities. All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.
APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.