Your one-stop web resource providing safety and security information to manufacturers

Adobe just released a new version of Flash Player, fixing 36 security issues, one of which is a Zero Day vulnerability.

Adobe issued an advisory about the Zero Day Tuesday when it revealed Kaspersky Lab found live attacks using the Flash hole.

APT Group Leverages Flash Zero Day
Exploit Kit Leverages Flash Zero Day
Adobe Fixes Connect Hole
Patched Flash Hole in Exploit Kit

Kaspersky researcher Costin Raiu said his company came across computers compromised by the StarCruft cyber-espionage group in two different campaigns, one they named Operation Daybreak and one Operation Erebus.

StarCruft hackers used the Flash Zero Day to trigger a memory corruption bug in Flash Player, which allowed them to execute code on the victim’s machine and take over the device.

Cyber Security

Besides the Zero Day (CVE-2016-4171), the group also employed other Flash exploits such as CVE-2016-4117 and CVE-2016-0147, the latter of which was a Zero Day the company patched in April.

The recent Flash Player Zero Day works on all versions of Flash, but Raiu said Microsoft EMET, if installed, would be able to block exploitation.

Adobe also fixed other issues in Flash, such as two type confusion vulnerabilities, six use-after-free issues, three heap buffer overflow problems, one directory search path bug, and 22 memory corruption issues. All led to remote code execution and allowed attackers to run code on targeted machines.

Updates for Flash running on Windows, Mac, and Linux released and are available for download. The latest Adobe Flash Player version numbers are for Windows and Mac, and for Linux.

Pin It on Pinterest

Share This