Adobe Patches 2 Flash Player Holes

Thursday, January 29, 2015 @ 03:01 PM gHale


Adobe updated Flash Player to address a Zero Day vulnerability and a critical security hole that could lead to remote code execution.

Adobe started distributing the update, version 16.0.0.296, over the weekend via the auto-update mechanism in Flash Player. In addition, Adobe sent out a standalone installer Tuesday.

RELATED STORIES
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time
Talk to Me: Elevating Security Awareness

This out-of-band update fixed a use-after-free vulnerability (CVE-2015-0311) already undergoing attacks. Along with that, Adobe also patched a double-free flaw that can end up exploited for remote code execution (CVE-2015-0312). CVE-2015-0312 came to Adobe via a researcher using the online moniker “bilou” via the Chromium Vulnerability Rewards Program.

Adobe advises Windows and Mac users to update their Flash Player installations to version 16.0.0.296. The Adobe Flash Player Extended Support Release should update to 13.0.0.264. The latest variant of Flash Player for Linux is 11.2.202.440.

With the release of OS X Yosemite 10.10.2, Apple blocked all Flash Player plugins prior to versions 16.0.0.296 and 13.0.0.264.

CVE-2015-0311 first came to light from French researcher Kafeine while analyzing an instance of the Angler exploit kit. This vulnerability and CVE-2015-0310, which Adobe fixed last week with an emergency patch, are falling victim to attackers using the Bedep malware.

Initially, researchers thought CVE-2015-0311 was only in the Angler exploit kit, but researchers later found attackers were using it in malvertising campaigns targeting adult websites.



Leave a Reply

You must be logged in to post a comment.