Categories: Breaking NewsCyber CrimeHackingSecurity

A new emergency patch for Adobe Flash Zero-Day, update your system!

Adobe has released security patches for Adobe Flash Player to fix critical vulnerabilities that could be exploited to take control of the affected system.

Adobe released an emergency patch for Flash Zero-Day (CVE-2015-8651) that is currently being exploited in targeted attacks. The out-of-band security update issued on Monday fix a number of security vulnerabilities that could be exploited by hackers to take control of an affected machine.

Adobe did not provide further details on the attacks exploiting the CVE-2015-8651 vulnerability, in the security bulletin it only confirms that the company is aware of a “limited, targeted attacks”.

“Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks.” states the security bulletin published by Adobe.

A company spokesperson confirmed that the vulnerability has been exploited in a spear phishing campaign.

The zero-day vulnerability affect all platforms, below the details Adobe provided in a security bulletin :

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).

Users must update their products as soon as possible. Unfortunately, Adobe Flash Player is a privileged target for hackers that exploit its flaws can compromise systems worldwide. The number of cyber attacks relying on Flash Player flaws this year is significant and urges Adobe to approach security issued in a different way.

In early December, Adobe presented Animated CC, the company is dismissing Adobe Flash Professional CC to introduce the new solution.

“For nearly two decades, Flash Professional has been the standard for producing rich animations on the web. ” Adobe has officially announced. “Today, over a third of all content created in Flash Professional uses HTML5, reaching over one billion devices worldwide. It has also been recognized as an HTML5 ad solution that complies with the latest Interactive Advertising Bureau (IAB) standards, and is widely used in the cartoon industry by powerhouse studios likeNickelodeon and Titmouse Inc.

Animate CC will continue supporting Flash (SWF) and AIR formats as first-class citizens. In addition, it can output animations to virtually any format (including SVG), through its extensible architecture.”

Many exponents of the security community fear that the Adobe Animate CC is the result of a marketing operation that would be still insecure.

Step by step the HTML5 language is replacing the flawed Flash, after YouTube also Facebook announced is leaving Flash to adopt it.

“We recently switched to HTML5 from a Flash-based video player for all Facebook web video surfaces, including videos in News Feed, on Pages, and in the Facebook embedded video player. We are continuing to work together with Adobe to deliver a reliable and secure Flash experience for games on our platform, but have shipped the change for video to all browsers by default.” States the announcement issued by Facebook.

Pierluigi Paganini

(Security Affairs – Adobe Flash Player, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.