14 DAY TRIAL // After issuing a security alert two days ago, Adobe has come through and released a new patch for Flash Player that fixes a dangerous zero-day bug that was used in live attacks to spread ransomware.
Identified as CVE-2016-1019, this exploit was used as part of the Magnitude EK (exploit kit) to deliver the Cerber and Locky ransomware families.
Adobe credited security researcher Kafeine from Proofpoint for discovering the bug, Genwei Jiang from FireEye, Inc. and Clement Lecigne Google for helping analyze and have it reported.
Exploit had real potential, but was used for trivial attacks
Adobe, and later Proofpoint, explained that the vulnerability was used to target older workstations running Adobe Flash Player 20.0.0.306 and earlier. It was later discovered that attacks would have also been successful against more recent Windows versions such as Windows 10.
"Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash," Kafeine explained on Proofpoint's site.
"In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability."
Taking into account that Locky ransomware was the second most active ransomware infection in the first months of the year and that the Magnitude EK has a market share of 10 percent among crooks, it may be a good idea to update right now.
If you need another reason for updating as soon as possible, Proofpoint also says that the CVE-2016-1019 exploit was also added to the Nuclear EK (market share of 8 percent), but has yet to be used.
23 other bugs were also fixed
Besides this highly-dangerous vulnerability, Adobe also patched 23 other security bugs. These included a vulnerability that bypassed security measures, another one that bypassed memory layout randomization mitigations and 21 flaws that led to remote code execution (RCE).
Updates for Flash running on Windows, Mac, and Linux have been published and are available for download. The latest Adobe Flash Player version numbers are 21.0.0.213 for Windows and Mac, and 11.2.202.616 for Linux distros.
Adobe Flash Player installed with Google Chrome, Microsoft Edge, and Internet Explorer (for Windows 10) will be updated to the latest version automatically.
