Wednesday, September 23, 2015

Critical Adobe Flash & AIR Out-Of-Band Updates

--

I watched the update installers appear online...

Adobe Flash v19.0.0.195


Adobe AIR v19.0.0.190


But no Adobe Security Bulletins appeared to determine whether they were security updates or not. Then... POP! Adobe bothered to let us know, a bit LATE. 


23 CVEs have been patched. I've provided CVE links below for those currently listed:

Security updates available for Adobe Flash Player

(and AIR)
September 21, 2015
Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-5573).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, CVE-2015-6682).

These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6676, CVE-2015-6678).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, CVE-2015-6677).

These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs  (CVE-2015-5571).

These updates resolve a memory leak vulnerability (CVE-2015-5576). 
These updates include further hardening to a mitigation to defend against vector length corruptions  (CVE-2015-5568).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2015-5567, CVE-2015-5579).

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2015-5587).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-5572).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-6679).
There aren't any zero-day exploits currently listed. However, when Adobe pushes out a security update that isn't on the second Tuesday of the month, you can count on there being an imminent exploit.

So UPDATE NOW!


As usual, if you don't use Adobe Flash (which is increasingly being replaced with HTML5) then remove the Internet Plugin from your OS X system! Apple has built in a couple methods of protecting users from awful Adobe Flash in Safari. But when surfing the Internet using ANY web browser, be sure to install a Flash blocker add-on/extension into your web browser! There is no WORSE software you can run on the Internet than Flash. It has surpassed awful Oracle Java in danger. You never want Flash automatically running in any web page.


And also as usual: The #1 Rule of both computing and computer security is:



With backups, we can restore our systems back to pre-infection status.





--