The emergency patch released by Adobe last week was actually for a zero-day vulnerability, but cyber-criminals messed up its integration into exploit kits, inadvertently saving a big slice of users from infection.
That’s according to Jérôme Segura, Malwarebytes senior security researcher, who explained in a blog post that the mistake meant CVE-2016-1019 in fact only affected users running older versions of Flash Player.
Adobe claimed at the time that a “mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.”
However, as it was still possible to circumvent the mitigation and make the flaw work on fully patched versions of the popular software, Adobe was forced to release an out-of-band update last week.
The Magnitude EK was using the vulnerability “for some time” in several still active malvertising campaigns designed to deliver the Cerber ransomware to unsuspecting users, claimed Segura.
“Drive-by download attacks that involve compromised sites or malvertising continue to leverage the Flash Player as the preferred piece of software for exploitation,” he explained.
“As an end-user, you need to evaluate your situation and decide whether you should keep it installed or not. If you do, it is critical that you run an exploit mitigation tool in parallel due to the likelihood of zero-day attacks. In other words, the traditional advice to keep your software up-to-date is not sufficient when it comes to high-risk plugins such as Flash.”
Full Article. Black Hats Bungle Adobe Flaw
That’s according to Jérôme Segura, Malwarebytes senior security researcher, who explained in a blog post that the mistake meant CVE-2016-1019 in fact only affected users running older versions of Flash Player.
Adobe claimed at the time that a “mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.”
However, as it was still possible to circumvent the mitigation and make the flaw work on fully patched versions of the popular software, Adobe was forced to release an out-of-band update last week.
The Magnitude EK was using the vulnerability “for some time” in several still active malvertising campaigns designed to deliver the Cerber ransomware to unsuspecting users, claimed Segura.
“Drive-by download attacks that involve compromised sites or malvertising continue to leverage the Flash Player as the preferred piece of software for exploitation,” he explained.
“As an end-user, you need to evaluate your situation and decide whether you should keep it installed or not. If you do, it is critical that you run an exploit mitigation tool in parallel due to the likelihood of zero-day attacks. In other words, the traditional advice to keep your software up-to-date is not sufficient when it comes to high-risk plugins such as Flash.”
Full Article. Black Hats Bungle Adobe Flaw
