FREMONT, CA: Adobe releases a patch to fix zero-day vulnerability (CVE-2016-1019) actively being exploited by the Magnitude Exploit Kit, reports Sean Michael Kerner for eWeek.
CVE-2016-1019 is a type confusion vulnerability that could lead to code execution. The vulnerability is a memory corruption that can be exploited for remote code execution.
Users of Windows, Mac, Linux and Chrome operating systems are affected by the security flaw, which "could cause a crash and potentially allow an attacker to take control of the affected system.
According to the researchers from Trend Micro, active attacks have been observed leveraging this vulnerability through the Magnitude exploit kit in drive-by attacks. This particular kit is linked to the Locky ransomware, malware which locks infected systems and demands payment in return for a decryption key which unlocks system files and content.
Security vendor Proofpoint discovered the zero-day vulnerability when inspecting a change last week to an exploit kit dubbed Magnitude that is being used to distribute multiple ransomware tools including the notorious Locky and Cerber samples. According to Proofpoint, its security researchers discovered a new exploit in Magnitude targeting certain recent versions of Flash Player while ignoring the newest versions of the software.
FireEye's analysis of the CVE-2016-1019 vulnerability shows a coding style similar to one used by the Hacking Team, an Italian cyber-security vendor that was helping governments with surveillance activities and itself was the victim of a breach in July 2015.
Adobe credits Yuki Chen of Qihoo 360 Vulcan Team working with Trend Micro's ZDI for reporting three vulnerabilities: the CVE-2016-1015, CVE-2016-1016 and CVE-2016-1017, both use-after-free memory vulnerabilities. Adobe also credits Tencent, working with Trend Micro's ZDI, for reporting CVE-2016-1018, a stack overflow vulnerability that could lead to code execution.