Adobe released APSB16-36 today to fix one 0-day vulnerability in Flash. The vulnerability is currently being used in active attacks and therefore Adobe released this emergency fix. If left un-patched, attackers can remotely take complete control of the machine. The vulnerability (CVE-2016-7855) is triggered when the victim views malicious Adobe flash content. Usually innocent users end up with malicious flash content by clicking on bad links from e-mails, blogs, bulletin boards and other sources.
Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities. All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.
APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.
Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.
Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.
Update: Qualys QID is 124421: Adobe Flash Player and AIR Security Update (APSB16-01).
Original: Adobe issued today their last update for 2015 for its Flash player. It addresses nineteen vulnerabilities and was released out of band because one of them (CVE-2015-8651) is under attack in the wild. At this point attacks are limited to special targets. The update is numbered APSB16-01, not APSB15-33 as expected, most likely because it is basically the planned January 2016 update, anticipated due to the circumstances.
As with all 0-days fixes this one deserves special attention and a quick turnaround.
There we are: the last Patch Tuesday of 2015. It turns out to be about average, with maybe a bit more severity in the bulletins than usually. We have eight critical bulletins in the total 12, including one that fixes a 0-day vulnerability, currently in use by attackers to escalate privileges in Windows. 0-days used to be very rare occasions, but this year they have become almost mainstream. After all the year started off with a string of 0-days in Adobe Flash and since then we have seen almost every month a patch for a vulnerability that is already under attack. Definitely a sign of the increasing technical capabilities that attackers are wielding and a reminder that IT Managers should not only patch their systems promptly, but also look for additional robustness. Your list of things to look at in 2016 should include investigation of minimal software installs with the least features enabled, plus an additional piece software such as EMET that enhances robustness.
Just three days after Trend Micro had notified Adobe of a 0-day vulnerability in their Flash player, Adobe addressed the flaw with a patch. APSB15-27 provides fixes for three vulnerabilities, and one of them, CVE-2015-7645, is currently being used in attacks in the wild. You should apply the update as quickly as possible as we expect the exploit to show up in ExploitKits soon, which will greatly increase the number of attacked machines.