Adobe Updates Flash to Patch Zero-Day Flaw

A delayed March update provides patches for 23 security vulnerabilities, including one for a zero-day flaw already being exploited by attackers.

Adobe Flash update

Adobe pushed out a security update for its Flash Player on March 10, providing users with patches for 23 vulnerabilities. The update was originally supposed to be out on March 8, but was delayed for two days to include a new zero-day flaw.

Of the 23 patched vulnerabilities, only CVE-2016-1010 is identified by Adobe as being a zero-day issue that is already being exploited by attackers.

"We received a report that there was a vulnerability being exploited in limited, targeted attacks," an Adobe spokesperson told eWEEK.

CVE-2016-1010 was reported to Adobe by security researcher Anton Ivanov from Kaspersky Lab. The Adobe spokesperson noted that Adobe became aware of the CVE-2016-1010 vulnerability when the Adobe Product Security Incident Response Team (PSIRT) was notified of the issue. Upon receipt of the information, the incident response process was immediately put into action.

"As for where the attack is occurring, Adobe does not disclose this information in order to protect our customers," the spokesperson said.

Though full details are not yet publicly available on the CVE-2016-1010 flaw, it is grouped together in the Adobe advisory with CVE-2016-0963 and CVE-2016-0993 as an integer overflow vulnerability that could potentially lead to code execution. CVE-2016-0993 was reported to Adobe by Nicolas Joly of Microsoft Vulnerability Research (MSVR), while the CVE-2016-0963 issue was reported to Adobe by the Alibaba Security Team.

By volume, Use-After-Free (UAF) vulnerabilities are the most prominent in the Adobe Flash update with 11 unique CVEs (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999 and CVE-2016-1000).

UAF vulnerabilities occur when attackers abuse authorized memory to gain unauthorized access. Adobe has regularly patched for UAF flaws in its Flash Player software in recent years. Of particular note is the Flash v18.0.0.209 update that debuted in July 2015 that included new UAF attack mitigations that had been contributed to Adobe by Google.

For the new Flash Player update, Adobe is crediting Google researchers with reporting eight vulnerabilities. Adobe also benefited from reports from the Zero Day Initiative (ZDI). Adobe credits ZDI with reporting three vulnerabilities that are now being fixed in the Adobe Flash Player update. When ZDI reported the issues, the group was part of Hewlett Packard Enterprise (HPE), but as of yesterday, ZDI is now officially part of Trend Micro, which gained the group as part of the acquisition of TippingPoint from HPE for $300 million.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.