Adobe Flash Player Vulnerable to Attack – Again

thezootsewt/ November 15, 2016/ Cyber Defense, Latest News/ 0 comments

Quiz – what’s the one plugin that your web browser probably uses that most cyber security professionals would like to see disappear from the face of the earth?  If you answered Adobe Flash player, you are right!  For years flash player provided important functionality that standard HTML based web browsers could not.  With the advent of HTML5, that started to change.  However, there are still a large number of old web sites that depend on flash player to render properly and thus many sysadmins and developers have chosen to keep flash player in their builds so as not to break legacy web sites.  Unfortunately, continuing to carry flash forward is endangering cyber security for many people and organizations.

Let’s cut to the chase – Adobe released a security advisory on November 8 outlining the security vulnerability.  If you are running flash version 23.0.0.205 and earlier, then you are vulnerable.  Check here to see what version of flash you are running.  If you are running 23.0.0.205 or earlier, then upgrade your flash player (or chrome web browser which has flash built-in) right away!

The Adobe security advisory is actually a roll-up of a number of critical flash player bugs – 9 to be precise.  Each of the 9 vulnerabilities allows a remote attacker to potentially execute arbitrary code on an impacted system.  The level of complexity required to initiate an attack is minimal, with attackers likely accessing systems remotely.  Each of the vulnerabilities is ranked as a critical bug.

Use-after-free vulnerabilities depend on poorly coded memory management functions.  In a nutshell, if a portion of memory is freed and then seeded with malware, an attacker can then execute arbitrary commands.

The CVEs issued related to this patch roll-up are –

CVE-2016-7857

CVE-2016-7858

CVE-2016-7859

CVE-2016-7860

CVE-2016-7861

CVE-2016-7862

CVE-2016-7863

CVE-2016-7864

CVE-2016-7865

Depending on your operating system and browser, flash player updates are available as follows.

Product Updated Versions Platform Priority rating Availability
Adobe Flash Player Desktop Runtime 23.0.0.207 Windows and Macintosh 1 Flash Player Download Center

Flash Player Distribution

Adobe Flash Player for Google Chrome 23.0.0.207 Windows, Macintosh, Linux and Chrome OS 1 Google Chrome Releases
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 23.0.0.207 Windows 10 and 8.1 1 Microsoft Security Advisory
Adobe Flash Player for Linux 11.2.202.644 Linux 3 Flash Player Download Center

Happy patching everyone!

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*