Emergency Flash Update Patches Public Zero Day

four year old flash bug

Adobe pushed out an emergency Flash Player update, patching a zero-day vulnerability. Adobe said a public exploit exists for CVE-2016-4117.

As promised earlier this week, Adobe today released an updated version of Flash Player that includes a patch for a zero-day vulnerability.

Adobe said it is aware of the existence of a public exploit for CVE-2016-4117, but said the flaw has not been publicly attacked.

The vulnerability affects Flash Player versions 21.0.0.226 and earlier on Windows, Mac OS X, Linux and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said Tuesday in an advisory.

Adobe patched the zero day on the Desktop and Extended Support releases of Flash Player, as well as for Google Chrome and Microsoft Edge and Internet Explorer 11 browsers; all of which were given the most critical severity rating.

The zero day is a type confusion vulnerability and it exposes the underlying operating system to remote code execution. Researcher Genwei Jiang of FireEye is credited with privately disclosing the issue to Adobe.

The update patches 25 vulnerabilities in total, two of which are type confusion flaws, including the zero day. A dozen memory corruption vulnerabilities were addressed that also lead to remote code execution, along with eight use-after-free flaws also exposing systems to remote code execution.

Adobe also patched buffer overflow and heap buffer overflow flaws, as well as a vulnerability in the directory search path, that allow remote code execution.

On Tuesday, Adobe gave advanced notification of the zero day and said it would have an update ready by today. It also released updated versions of Adobe Acrobat, Adobe Reader and ColdFusion, patching 95 vulnerabilities.

Today’s is the second emergency update to Adobe Flash Player in a little more than a month. On April 7, a zero day was patched in Flash after attacks were discovered in two exploit kits that were pushing ransomware onto compromised machines.

Attackers used the previously unpatched flaw in Flash to infect victims with either Locky or Cerber ransomware. Until then, Locky spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. Cerber is also crypto-ransomware that includes a feature where the infected machine will speak to the victim via a text-to-speech engine.

Suggested articles