Adobe Working on Zero-Day, Pwn2Own Patches for Flash

A new zero-day flaw is being exploited in the wild, and Adobe is rushing to patch it, while also accelerating its overall patch cycle for April to protect Flash users.

Flash flaws

Adobe has a monthly patch cycle that becomes generally available on the second Tuesday of any given month—the same day as Microsoft's Patch Tuesday. That won't be the case this month, however, as Adobe is accelerating its process to deal with a new zero-day flaw in its Adobe Flash Player that is already being exploited in the wild by attackers.

On April 5, Adobe issued the APSA16-01 security advisory, warning of the new critical zero-day flaw—identified as CVE-2016-1019—in Adobe Flash Player that impacts Windows, Mac OS X, Linux and Chrome OS users.

In its advisory, Adobe warned that "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe also noted that is aware that attackers are exploiting the vulnerability against victims running Windows 7 and Windows XP with Flash Player version and earlier.

"While the vulnerability itself exists in the most recent version of Flash Player (version and later), it currently only causes a crash," an Adobe spokesperson told eWEEK.

Adobe released the Flash Player update on March 10 as a regularly scheduled patch update, which fixed 23 vulnerabilities. In addition to patching known issues, the March update also introduced enhanced security hardening and mitigation capabilities, which limit the risk of the new CVE-2016-1019 flaw.

"The mitigation introduced in Flash Player currently prevents exploitation of this vulnerability, protecting users running Flash Player and later," Adobe's spokesperson said.

As such, attackers currently are only actively exploiting CVE-2016-1019 against Windows 7 and Windows XP users who have not updated to Flash Player

Because the flaw is being actively exploited, Adobe's spokesperson said Adobe is accelerating the regularly scheduled Patch Tuesday release of Flash Player. Instead of releasing it on April 12, as originally planned, the company will provide an update to address CVE-2016-1019 as early as April 7.

In addition to the new zero-day flaw, the April 7 Flash Player update will likely include fixes to a number of other high-impact vulnerabilities that have recently been reported to Adobe.

At the Pwn2Own hacking contest in March, security researchers publicly demonstrated multiple previously unknown flaws in Flash Player. The way the Pwn2Own event works is that the Zero Day Initiative (ZDI), now owned by Trend Micro, privately reports the details of exploits demonstrated at the event to the impacted vendor. Among the flaws demonstrated at Pwn2Own was a type confusion bug in Adobe Flash that was shown by security researchers identified as the 360Vulcan Team. In addition, security researchers from Tencent's Team Sniper demonstrated a new out-of-bounds vulnerability in Adobe Flash at Pwn2Own.

"The Pwn2Own updates will be shipped during our scheduled updates, as early as April 7, 2016," Adobe's spokesperson said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.