Monday, December 28, 2015

Adobe Flash/AIR Exploit In-The-Wild!
Critical Flash/AIR Updates Released

--

The all-too-familiar story: The single most dangerous software on the Internet has been exploited in-the-wild yet-again. The exploit is of CVE-2015-8651 (not yet documented at Mitre.org as of this date).

Adobe has provided the following security updates:

Flash v20.0.0.267

AIR v20.0.0.233

Adobe's security bulletin is HERE.
Summary

Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks. . . .
Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).
And as usual: If you don't need Adobe Flash, uninstall it and never reinstall it again. Adobe's instructions for uninstalling Flash are HERE. Adobe's instructions for uninstalling AIR are about halfway down the page HERE.

--