Friday, May 13, 2016

Adobe Flash In-The-Wild Exploit Patched:
Flash v21.0.0.242, AIR v21.0.0.215
Plus ColdFusion Hotfixes

--

Adobe has released Flash v21.0.0.242 and AIR v21.0.0.215. The patch blocks an in-the-wild exploit of Flash. There is a total of 25 CVE patches. Presumably, this patch is two days later than Adobe's usual 'second Tuesday of the month' patching schedule due to the late discovery of the ongoing exploit.

Download Flash Update
Download Air Update

The security bulletin is HERE.
Vulnerability Details

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Also of note:

Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release.

The security bulletin is HERE.
Vulnerability Details 
These hotfixes resolve an important input validation issue (CVE-2016-1113) that could be abused to conduct cross-site scripting attacks.

These hotfixes include an updated version of the Apache Commons Collections library to mitigate an important Java deserialization vulnerability (CVE-2016-1114).

These hotfixes resolve a moderate host name verification problem affecting wild card certificates (CVE-2016-1115).
Hopefully, that's the end of Adobe security patches for May. (0_o)

--

Tuesday, May 10, 2016

Two Critical Adobe Updates:
Acrobat & Reader v15.016.20039 Now,
Flash Update On The Way

--

Sometimes I have to roll my eyes. This is yet-another opportunity to shout expletives at Adobe for endangering our computers. It's another 'OMG you suck Adobe!' moment. Get a load of the number of CVEs patched in Acrobat/Reader v15.16.20039. Ninety-two CVEs. It has to be a record. Then there's the ongoing in-the-wild exploit of Flash that Adobe promises to patch later this week. Dangerous stuff. *sigh*

Out Today:


Adobe Acrobat & Reader v15.016.20039


Check for updates from within the applications,

Or download update installers at the pages linked below:

Download Reader Update

Download Acrobat Update

The security bulletin is HERE.

Vulnerability Details

• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107).

• These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4091, CVE-2016-4092).

• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105).

• These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-1043).

• These updates resolve memory leak vulnerabilities (CVE-2016-1079, CVE-2016-1092).

• These updates resolve an information disclosure issue (CVE-2016-1112).

• These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117).

• These updates resolve vulnerabilities in the directory search path used to find resources that could lead to code execution (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106).
Total count: 92 CVEs patched.
~ ~ ~ ~ ~

Coming up later this week:


Adobe Flash update.


The warning security advisory is HERE.

Summary

A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
I'll make another post when the update for Adobe Flash is available. Until then, avoid or stop using Flash.

--