Category: Flash

May 10 2016

Beware of in-the-wild 0day attacks exploiting Windows and Flash

(credit: Ann Oro)

Windows users woke up to something that doesn't happen every day: the disclosure of two zero-day vulnerabilities, one in the Microsoft operating system and the other in Adobe's Flash Player.

The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.

Separately, Adobe officials warned that a newly discovered Flash vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild. Adobe said it planned to release an update as soon as Thursday.

Read 2 remaining paragraphs | Comments

Apr 08 2016

Adobe patches Flash ransomware flaw that targets Windows 10 users

Adobe has rushed out a Flash update to plug a security hole spotted by infosec researchers, who warned that Windows 10 users of the software may have been exposed to the flaw for more than a week.

Ne'er-do-wells could exploit the flaw by sending ransomware to Windows 10 machines. Adobe said its updates addressed critical vulnerabilities in Flash, and advised users to install the latest version of the software. It said in a security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version and earlier.

Researchers at Proofpoint—which has a good explainer of the flaw here—worked with other infosec folk to track down the latest security hole in Flash that could be exploited by attackers with a type of ransomware dubbed "Cerber." The ransomware is understood to have been in the wild since at least March 31.

Read 3 remaining paragraphs | Comments

Apr 06 2016

New Flash zero-day exploited by attackers in the wild

Patch due to be published this week for critical new Adobe Flash vulnerability CVE-2016-1019.

Mar 10 2016

Adobe issues emergency patch for actively exploited code-execution bug

Adobe has issued an emergency update for its Flash media player that patches almost two dozen critical vulnerabilities, including one that's being maliciously exploited in the wild.

"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe officials wrote in an advisory published Thursday. "Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks." The notice advises Flash users to install the update as soon as possible.

CVE-2016-1010 is the common vulnerabilities and exposures designation for an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers. Adobe credited Anton Ivanov of Kaspersky Lab with discovering the zero-day vulnerability but provided no additional details. In an e-mail, a Kaspersky representative wrote:

Read 2 remaining paragraphs | Comments