Security News Flash Security Patch Coming in Two Days to Fix Zero-Day Used in Live Attacks

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Adobe announced today an emergency patch for Thursday, June 16, to fix a zero-day in Flash Player exploited in the wild.

According to Anton Ivanov and Costin Raiu of Kaspersky, the vulnerability was used in targeted attacks.

The term "targeted attacks" is one used to describe attacks during which the threat group points the malicious code only against a limited set of individuals. Such exploits are usually found in the arsenal of private or state-sponsored cyber-espionage groups.

Zero-day used for cyber-espionage by new StarCruft APT
The vulnerability ID assigned to this zero-day is CVE-2016-4171, and Adobe says it affects Flash Player 21.0.0.242 and earlier versions, running on Windows, Macintosh, Linux, and Chrome OS. Flash Player 21.0.0.242 is the company's most recent version, so this means the zero-day affects all Flash installations.

An attacker can use CVE-2016-4171 to crash a Flash Player installation in an unsafe way that then allows it to run malicious code on the user system and take over the machine.

Kaspersky researchers say the group behind these targeted attacks is a new APT they named StarCruft. Researchers say the group is currently running two operations: Daybreack and Erebus.

These operations are aimed at countries such as Russia, Nepal, South Korea, China, India, Kuwait and Romania. Kaspesky says StarCruft is currently using multiple Flash exploit and an Internet Explorer vulnberability to target victims.

Adobe also fixed Brackets, CC desktop app, ColdFusion, and DNG SDK
The company's engineers also released security patches today, for the company's DNG SDK, the Adobe Brackets Web IDE, the Creative Cloud desktop app, and the ColdFusion programming language.

For the DNG SDK, Adobe fixed a simple memory corruption issue, CVE-2016-4167. Adobe released DNG Software Development Kit (SDK) 1.4 2016 to fix the issue.

For Adobe Brackets, the company fixed a JavaScript injection issue used in XSS attacks (CVE-2016-4164), and an input validation vulnerability in the extension manager (CVE-2016-4165). Adobe Brackets 1.7 is the latest version which you should now use.

For the Adobe Creative Cloud desktop app, Adobe fixed a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157) and an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158). Adobe Creative Cloud 3.7.0.272 is now the most recent version.

For Adobe ColdFusion, there were quite a few bugs fixed, in ColdFusion versions 10, 11, and the 2016 release. All release notes are included in the Adobe security advisory.

UPDATE: Added information about the APT group that's using the zero-day, courtesy of Kaspersky.
 

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
For the third month in a row, a Flash zero-day vulnerability is being exploited in the wild

Another day, another zero-day vulnerability discovered in Flash - one that’s actively being exploited in the wild. The company hasn’t yet released a patch but it’s promising to do so this week.

For the third month in a row, a zero-day vulnerability needs to be patched by Adobe’s engineers as they scramble to put out a fix for a bug that cybercriminals are exploiting. According to its own security advisory, the bug affects the latest version of Flash, 21.0.0.242 on all systems including Windows, OS X, Linux and Chrome OS.

The vulnerability can be effectively used to trigger a crash in the Flash plugin and then attackers can get control of the affected system. As explained by the security firm Kaspersky, which discovered it, the zero-day exploit is already being used in the wild by cybercriminals going after enterprise machines. According to a different report, those running EMET, Microsoft’s Enhanced Mitigation Experience Toolkit, are secure for now.

Adobe is promising to put out a patch this week, maybe even as soon as tomorrow. However, Flash’s security vulnerabilities seem to never end, so customers might simply be better off disabling Flash altogether.

In fact, Apple, Google and Firefox all appear to agree with that assessment, and the companies have taken steps to have Flash disabled by default in their browsers. The latest to jump on this bandwagon was Apple, which is disabling Flash by default in Safari 10, as we reported earlier.

With so many security risks, and companies moving away from the plugin, it’s clear that Flash’s days are numbered.

Source: Adobe, Kaspersky Via: Inquirer
 
A

Alkajak

Adobe released Flash Player version 22.0.0.192 which fixes 36 security issues, among which there is a zero-day vulnerability used in live attacks by a cyber-espionage group discovered by Russian security firm Kaspersky Labs.

The company gave everyone a heads up about the zero-day exploit on Tuesday when it revealed that Kaspersky Labs discovered live attacks using a never-before-seen security bug in Flash.

Zero-day used by StarCruft APT
Kaspersky expert Costin Raiu said his company came across computers compromised by the StarCruft cyber-espionage group in two different campaigns, one they named Operation Daybreak and one Operation Erebus.

StarCruft hackers used the Flash zero-day to trigger a memory corruption bug in Flash Player, which allowed them to execute code on the victim's machine and take over the device.

Besides the zero-day (CVE-2016-4171), the group also employed other Flash exploits such as CVE-2016-4117 and CVE-2016-0147, the latter of which was another zero-day exploit that Adobe patched in April.

StarCruft also used another exploit for Internet Explorer, and Kaspersky says the group launched attacks against targets in Russia, Nepal, South Korea, China, India, Kuwait, and Romania.

Microsoft EMET would have protected against zero-day exploitation
The recent Flash Player zero-day, CVE-2016-4171, works on all versions of Flash, but Raiu says that Microsoft EMET, if installed, would be able to block exploitation. Unfortunately, EMET does not ship by default with Windows, even if Microsoft started embedding some of its core features in Windows 10.

Besides the zero-day, Adobe also fixed other issues in Flash, such as two type confusion vulnerabilities, six use-after-free issues, three heap buffer overflow problems, one directory search path bug, and 22 memory corruption issues. All led to remote code execution and allowed attackers to run code on targeted machines.

Updates for Flash running on Windows, Mac, and Linux have been released and are available for download. The latest Adobe Flash Player version numbers are 22.0.0.192 for Windows and Mac, and 11.2.202.626 for Linux distros.

Full Article: Adobe Flash Player 22.0.0.192 Released to Fix Zero-Day Vulnerability
 

soccer97

Level 11
Verified
May 22, 2014
517
Adobe released their update today, as Well as Microsoft for Edge and Windows 8 or Above as A Microsoft Update. Other advice would be to avoid Internet Explorer in general (because it is frequently used as one of the combination of vulnerabilities used to attack PC's or at minimum try to disable Flash Player in IE and maybe edge.

Also, Google Chrome released an update with the updated version of flash today. The current version is: Version 51.0.2704.103 m (for 64-bit browser).

Chrome Releases


Also, a good source of Pre-Release information about current or upcoming updates is from Adobe's PSIRT Blog: Adobe PSIRT Blog
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top