Lucene search

K
threatpostMichael MimosoTHREATPOST:98B4C1C60A21436152C72C77AC3B081A
HistoryNov 08, 2016 - 11:17 a.m.

Adobe Patches Nine Code Execution Flaws in Flash Player

2016-11-0811:17:13
Michael Mimoso
threatpost.com
26

EPSS

0.133

Percentile

95.7%

Two weeks after rushing out an emergency patch for a zero-day vulnerability, Adobe today released another Flash Player security update.

The new release patched nine vulnerabilities, all of which expose the host system to remote code execution. Adobe said it is not aware of public exploits against any of the vulnerabilities.

Adobe said desktop versions 23.0.0.205 and earlier are affected on Windows and Mac platforms, as well as Google Chrome and Microsoft Edge and Internet Explorer 11 on Windows 10 and Windows 8.1

The update addresses a half-dozen use-after-free vulnerabilities, and three type confusion flaws, all of which were reported out of Trend Micro’s Zero Day Initiative.

Users are advised to update Flash Player on all platforms to version 23.0.0.207.

Adobe said today’s release was a scheduled update. Two weeks ago, the emergency update patched CVE-2016-7855, which was being exploited in limited targeted attacks.

The zero day and attacks were privately disclosed by researchers at Google’s Threat Analysis Group, who also privately disclosed a Windows kernel zero day that was being chained with the Flash zero day in the attacks.

While Adobe patched the Flash zero day within a week of being notified, Microsoft lagged and Google eventually publicly disclosed details about the vulnerability, kicking off another round of disclosure debates. Google’s disclosure policy gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. The policy was published in 2013 and included a seven-day deadline on critical flaws under active exploitation.

Microsoft is expected to patch the Windows zero day later today in its regularly scheduled Patch Tuesday security bulletins.

Adobe today also patched its Connect for Windows web conferencing software.

“This update resolves an input validation vulnerability in the events registration module that could be used in cross-site scripting attacks,” Adobe said in its advisory.

Versions 9.5.6 and earlier are affected, Adobe said, recommending that users upgrade to 9.5.7.