YAFP (Yet Another Flash Patch)
Adobe issued a security advisory yesterday about a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 21.0.0.197 and earlier. The vulnerability affects all OSes (Windows, Mac, Linux and Chrome OS).
As Adobe says, it “could cause a crash and potentially allow an attacker to take control of the affected system”. Well, strike that “potentially” since it is being actively exploited in the wild.
The good news is that the current version of Flash Player (21.0.0.182) at the moment prevents exploitation of the vulnerability (at least with exploits that are currently circulating).
In any case, Adobe should release the patch tomorrow (7.4.) so patch as soon as you can to be sure that the vulnerability has been completely mitigated (and of course, use an addon such as NoScript).
Adobe offers a handy web page to check which version you have currently installed at http://www.adobe.com/software/flash/about/, while the original advisory is available at https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
Anonymous
Apr 6th 2016
8 years ago
Anonymous
Apr 6th 2016
8 years ago
According to Adobe's test page (link in the diary), 21.0.0.197 appears to be the latest version for some browsers, so that's probably what you're seeing - I should have made this more clear.
In any case, from what I can tell, all version are vulnerable, but the exploit does not work against the latest two versions (for now).
Anonymous
Apr 6th 2016
8 years ago
Crossed my mind many times as well, but haven't played with it.
I think this would be a great test to see if EMET blocks the exploit - hope we get some good news from our readers :)
Anonymous
Apr 6th 2016
8 years ago
Anonymous
Apr 6th 2016
8 years ago
Anonymous
Apr 7th 2016
8 years ago
hxxps://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
"EMET will log this as an error message (EventID 2) and may, if configured to do so, display a pop-up notification to the end user. EMET however, does not have a centralized management console and a third-party log management solution should be used to collect these events."
EMET 5.5 user guide hxxps://www.microsoft.com/en-us/download/confirmation.aspx?id=50802 also describes the option for configuring local telemetry:
For troubleshooting purposes, we have added a “Local Telemetry” mode. When this mode is enabled, the information that would be sent through the “Early Warning” will be saved locally instead in a user-defined folder.
To enable this mode, users need to create two entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET:
LocalTelemetryPath (string): path where to save the information (i.e. c:\emet_local_telemetry)
Optionally, you can create the following registry key to control what kind of MiniDump file to create:
MiniDumpFlags (DWORD): 0x1ff (default value)
More information on the possible flags are available at MSDN article hxxps://msdn.microsoft.com/library/windows/desktop/ms680519(v=vs.85).aspx.
OK, zooming back out. Balancing the level of details in security work is HARD.
Anonymous
Apr 7th 2016
8 years ago
This weakness and bloody beginner's error is well-known as https://cwe.mitre.org/data/definitions/426.html, https://cwe.mitre.org/data/definitions/427.html and https://capec.mitre.org/data/definitions/471.html
Anonymous
Apr 7th 2016
8 years ago
Are waiting for (to be bundled in, let it fester until) the upcoming
patch Tuesday?
Anonymous
Apr 8th 2016
8 years ago
See: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+April+2016/20935/
Anonymous
Apr 13th 2016
8 years ago