apacciooutlook logo

Adobe Deploys Patch for Flash Zero-day Vulnerability

Wednesday, April 13, 2016

content-image

FREMONT, CA: Adobe releases a patch to fix zero-day vulnerability (CVE-2016-1019) actively being exploited by the Magnitude Exploit Kit, reports Sean Michael Kerner for eWeek.

CVE-2016-1019 is a type confusion vulnerability that could lead to code execution. The vulnerability is a memory corruption that can be exploited for remote code execution.

Users of Windows, Mac, Linux and Chrome operating systems are affected by the security flaw, which "could cause a crash and potentially allow an attacker to take control of the affected system.

According to the researchers from Trend Micro, active attacks have been observed leveraging this vulnerability through the Magnitude exploit kit in drive-by attacks. This particular kit is linked to the Locky ransomware, malware which locks infected systems and demands payment in return for a decryption key which unlocks system files and content.

Security vendor Proofpoint discovered the zero-day vulnerability when inspecting a change last week to an exploit kit dubbed Magnitude that is being used to distribute multiple ransomware tools including the notorious Locky and Cerber samples. According to Proofpoint, its security researchers discovered a new exploit in Magnitude targeting certain recent versions of Flash Player while ignoring the newest versions of the software.

FireEye's analysis of the CVE-2016-1019 vulnerability shows a coding style similar to one used by the Hacking Team, an Italian cyber-security vendor that was helping governments with surveillance activities and itself was the victim of a breach in July 2015.

Adobe credits Yuki Chen of Qihoo 360 Vulcan Team working with Trend Micro's ZDI for reporting three vulnerabilities: the CVE-2016-1015, CVE-2016-1016 and CVE-2016-1017, both use-after-free memory vulnerabilities. Adobe also credits Tencent, working with Trend Micro's ZDI, for reporting CVE-2016-1018, a stack overflow vulnerability that could lead to code execution.

Leaders Speak

Andy Nallappan, VP & CIO,

The Industry Demands Quick Upgrade into Cloud

By Andy Nallappan, VP & CIO,

Global Information Technology, Avago Technologies

Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Embracing Advanced Tech-enabled Solutions that Foster Innovation and Growth

By Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Anil Khatri,

Trends that are on Every CIO's Watch-list

By Anil Khatri,

Head IT-South Asia,

SAP

James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Simplifying Infrastructure Management with Microsoft Solutions

By James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations,  Army & Air Force Exchange Service

Embracing Cloud Hosting Benefits

By Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations, Army & Air Force Exchange Service

Featured Vendors