My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

YAFP (Yet Another Flash Patch)

Published: 2016-04-06. Last Updated: 2016-04-06 17:56:55 UTC
by Bojan Zdrnja (Version: 1)
10 comment(s)

Adobe issued a security advisory yesterday about a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 21.0.0.197 and earlier. The vulnerability affects all OSes (Windows, Mac, Linux and Chrome OS).

As Adobe says, it “could cause a crash and potentially allow an attacker to take control of the affected system”. Well, strike that “potentially” since it is being actively exploited in the wild.
The good news is that the current version of Flash Player (21.0.0.182) at the moment prevents exploitation of the vulnerability (at least with exploits that are currently circulating).

In any case, Adobe should release the patch tomorrow (7.4.) so patch as soon as you can to be sure that the vulnerability has been completely mitigated (and of course, use an addon such as NoScript).

Adobe offers a handy web page to check which version you have currently installed at http://www.adobe.com/software/flash/about/, while the original advisory is available at https://helpx.adobe.com/security/products/flash-player/apsa16-01.html

--
Bojan
@bojanz
INFIGO IS

Keywords: 0day flash
10 comment(s)
My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

Comments

My Citrix servers have version 21.0.0.197, which I thought was the latest.

Anonymous

Apr 6th 2016
8 years ago

I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit?

Anonymous

Apr 6th 2016
8 years ago

[quote=comment#36839]My Citrix servers have version 21.0.0.197, which I thought was the latest.[/quote]

According to Adobe's test page (link in the diary), 21.0.0.197 appears to be the latest version for some browsers, so that's probably what you're seeing - I should have made this more clear.
In any case, from what I can tell, all version are vulnerable, but the exploit does not work against the latest two versions (for now).

Anonymous

Apr 6th 2016
8 years ago

[quote=comment#36841]I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit?[/quote]

Crossed my mind many times as well, but haven't played with it.
I think this would be a great test to see if EMET blocks the exploit - hope we get some good news from our readers :)

Anonymous

Apr 6th 2016
8 years ago

We deployed EMET organization wide last year and with the latest version (5.5) we have not had any issues. I can tell you in a lab environment it has blocked several flash exploits. As with any security countermeasure you should have another layer so this along with your other protections is a nice addition.

Anonymous

Apr 6th 2016
8 years ago

I'm one week away from no more flash in IE. Just one GPO. Thank God the business doesn't need it for anything. So happy to get rid of it..

Anonymous

Apr 7th 2016
8 years ago

Would EMET work in a defender / pentesters toolkit, it does generate event log entries that can be collected centrally.

hxxps://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
"EMET will log this as an error message (EventID 2) and may, if configured to do so, display a pop-up notification to the end user. EMET however, does not have a centralized management console and a third-party log management solution should be used to collect these events."

EMET 5.5 user guide hxxps://www.microsoft.com/en-us/download/confirmation.aspx?id=50802 also describes the option for configuring local telemetry:
For troubleshooting purposes, we have added a “Local Telemetry” mode. When this mode is enabled, the information that would be sent through the “Early Warning” will be saved locally instead in a user-defined folder.
To enable this mode, users need to create two entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET:
 LocalTelemetryPath (string): path where to save the information (i.e. c:\emet_local_telemetry)
Optionally, you can create the following registry key to control what kind of MiniDump file to create:
 MiniDumpFlags (DWORD): 0x1ff (default value)
More information on the possible flags are available at MSDN article hxxps://msdn.microsoft.com/library/windows/desktop/ms680519(v=vs.85).aspx.

OK, zooming back out. Balancing the level of details in security work is HARD.

Anonymous

Apr 7th 2016
8 years ago

CVE-2016-1019 is not the only vulnerability fixed in the current flash update: the [un]installers of previous versions load a bunch of Windows system DLLs from their application directory instead of the Windows system directory, see CVE-2016-1014
This weakness and bloody beginner's error is well-known as https://cwe.mitre.org/data/definitions/426.html, https://cwe.mitre.org/data/definitions/427.html and https://capec.mitre.org/data/definitions/471.html

Anonymous

Apr 7th 2016
8 years ago

Did Microsoft update Flash? I do not see anything new after MS16-036.
Are waiting for (to be bundled in, let it fester until) the upcoming
patch Tuesday?

Anonymous

Apr 8th 2016
8 years ago

Microsoft did update Adobe Flash Player.
See: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+April+2016/20935/

Anonymous

Apr 13th 2016
8 years ago

Login here to join the discussion.


Top of page
Diary Archives