Adobe yesterday patched a not-so-sweet 16 Flash Player vulnerabilities, including a zero day under attack.
While not much is known about the targeted attacks using the Flash Player bug, or its victims, details have surfaced on another patched flaw that is a potential privacy nightmare.
CVE-2016-7890 was also patched yesterday after it was privately disclosed by an application security researcher from Ethopia named Paulos Yibelo. Adobe framed the vulnerability as a security feature bypass, and according to Yibelo, it can be used to spy on victims.
“This issue allows eavesdropping on the microphone and camera from a local attacker, and is a high security risk for anyone using shared connection,” Yibelo told Threatpost. Yibelo has earned bug bounty payouts before from Twitter, Facebook and last year with Google for a clickjacking bug he found in Google API Explorer.
Yibelo said that the bug essentially bypasses browser protections such as the Same Origin Policy, which prohibits resources from one domain accessing resources from another. For example, when Facebook users grant Flash Player permission during a video chat to access the microphone and camera over an encrypted connection, Yibelo contends that permission would also be granted to an insecure HTTP connection.
“If you once have authorized Flash Player to take your photo, use your microphone, or use it to video chat from a secure site, it had already granted access to the insecure origin also,” Yibelo said. “So any local attacker can feed you a malicious Flash applet, and it will be able to access your camera, your microphone and such.”
The vulnerability affected Flash Player versions 23.0.0.207 and earlier, and users are urged to update immediately to 24.0.0.186, which includes patches for all of yesterday’s vulnerabilities.
The zero day, CVE-2016-7892, is a use-after-free vulnerability and Adobe said it was aware of limited, targeted attacks using the bug against machines running 32-bit versions of Internet Explorer on Windows. The vulnerability was reported anonymously to Adobe.
The Flash zero-day was one of four critical vulnerabilities fixed by Adobe this month. The company also issued updates to address memory corruption vulnerabilities in Animate, a computer animation program it produces, DNG Converter, a free DNG conversion utility it distributes, and InDesign, its desktop publishing platform.
Microsoft also issued a Flash Player update yesterday for IE and Microsoft Edge.