Pierluigi Paganini March 11, 2016

Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that is being used in targeted attacks.

It’s happened again, Adobe has Issued an emergency Out-of-Band update For Flash Zero-Day that is being exploited in targeted attacks. The unfortunate thing is that the Out-of-Band Patch For Flash Zero-Day comes just a couple of days after releasing the announced updates to fix critical vulnerabilities in Acrobat, Reader and Digital Editions.

The zero-day vulnerability (CVE-2016-1010) addressed by the last Emergency Out-of-Band update has been discovered by threat researcher Anton Ivanov from Kaspersky Lab, ’s  vulnerability (CVE-2016-1010) and has been exploited in a limited number of targeted attacks.

CVE-2016-1010 is an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers.

“Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.” states the email sent by a Kaspersky representative to Ars.

“At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”

The Emergency Out-of-Band update also fixes also other critical vulnerabilities that could allow an attacker to gain complete control over vulnerable systems.

According to the security bulletin issued by Adobe, the vulnerabilities addressed by the new patch affect all platforms.

“Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.” states the security advisory.

The vulnerability details are:

• These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
• These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).

In order to reduce the attack surface, uninstall any browser extensions that is not really necessary for your work.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – emergency out-of-band update, Adobe)