Patch/Configuration Management, Vulnerability Management

Adobe updates Flash Player patching active zero-day vulnerability

Adobe issued an update to Flash Player Thursday night to fix an active zero-day vulnerability, along with several other critical issues.

This is the second month in a row that Adobe has had to roll out an out of schedule update to fix an active flaw in Flash Player. The update covers 24 vulnerabilities with one, CVE-2016-1019, known to be actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.

The CVE-2016-1019 vulnerability was spotted in the Magnitude Exploit Kit by Proofpoint researcher Kafeine and is capable of allowing remote code execution. In a lucky twist Proofpoint noted that while the new exploit could theoretically work on any version of Flash only older versions had been targeted.

“In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability. We refer to this type of faulty implementation as a “degraded” mode, and it is something that we have observed in the past with CVE-2014-8439 and CVE-2015-0310 in Angler,” Kafeine wrote.

The problems affect Windows, Macintosh, Chrome and Linux. Adobe announced on April 5 that it would issue the patch and recommends anyone using Flash upgrade to the latest version as soon as possible.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds