Flash 0-Day: Deciphering CVEs and Understanding Patches
(updated with Jan 24th update)
The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.
CVE | Fixed in Flash Version | Currently Used in Attacks | Advisory |
CVE-2014-8440 | 15.0.0.223 (Nov. 2014) | yes | APSB14-24 |
several | 16.0.0.257 (mid Jan 2015) | yes. | APSB15-01 |
CVE-2015-0310 | 16.0.0.287 (late Jan 2015) | yes | APSB15-02 |
CVE-2015-0311 | 16.0.0.296 (Jan 24th 2015) | yes | APSA15-01 |
So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.
Keywords: flash
9 comment(s)
Join us at SANS!
Attend Intrusion Detection In-Depth with Johannes Ullrich in Online | US Eastern starting Apr 26 2021
×
Diary Archives