Flash 0-Day: Deciphering CVEs and Understanding Patches

SANS ISC: Flash 0-Day: Deciphering CVEs and Understanding Patches

SANS Site Network
- Current Site
- SANS Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

InfoSec Handlers Diary Blog

Flash 0-Day: Deciphering CVEs and Understanding Patches

Published: 2015-01-23
Last Updated: 2015-01-25 02:30:43 UTC
by Johannes Ullrich (Version: 1)

(updated with Jan 24th update)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE	Fixed in Flash Version	Currently Used in Attacks	Advisory
CVE-2014-8440	15.0.0.223 (Nov. 2014)	yes	APSB14-24
several	16.0.0.257 (mid Jan 2015)	yes.	APSB15-01
CVE-2015-0310	16.0.0.287 (late Jan 2015)	yes	APSB15-02
CVE-2015-0311	16.0.0.296 (Jan 24th 2015)	yes	APSA15-01

So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: flash

9 comment(s)

Join us at SANS! Attend Intrusion Detection In-Depth with Johannes Ullrich in Online | Arabian Standard Time starting Mar 05 2022

Top of page

Diary Archives