Adobe fixes 24 vulnerabilities in Flash Player, including an actively exploited one

Adobe fixes 24 vulnerabilities in Flash Player, including an actively exploited one

The new Flash Player update squashes a bug that hackers have been using to infect computers with ransomware

Adobe Systems released a security update for Flash Player to fix 24 critical vulnerabilities, including one that hackers have been exploiting to infect computers with ransomware over the past week.

The company advised users Thursday to upgrade to the newly released Flash Player on Windows and Mac and Flash Player on Linux. The Flash Player Extended Support Release was also updated to version

As usual, the Flash Player build bundled with Google Chrome on all platforms, Microsoft Edge and Internet Explorer for Windows 10 and IE for Windows 8.1 will be upgraded automatically through the update mechanisms of those browsers.

Twenty-two of the newly patched vulnerabilities can result in remote code execution on users' computers, one can lead to a security feature bypass and one can be used to bypass the memory layout randomization mitigation that's supposed to make exploitation harder in general.

The highlight of this update is the fix for an actively exploited vulnerability tracked as CVE-2016-1019. According to security researchers from Proofpoint, an exploit for this flaw has been used in Web-based attacks to infect computers with file-encrypting ransomware programs since at least March 31.

Fortunately the exploit for CVE-2016-1019 observed in the wild only worked against Flash Player and earlier. Users who had Flash Player, released in March, were protected because the exploit doesn't properly execute on this version and only results in a crash.

The code defect itself does exist in Flash Player, but a heap mitigation added by Adobe in that version prevents the bug's exploitation for remote code execution.

The company has been strengthening the Flash Player heap -- the region of memory where the program stores variables -- since last year, first in collaboration with Google and then on its own. It seems that those efforts, aimed at making the exploitation of memory corruption vulnerabilities harder, are paying off.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO New Zealand newsletter!

Error: Please check your email address.

More about Adobe SystemsGoogleLinuxMicrosoftProofpoint

Show Comments