Patch now! Flash-exploitin’ PC-hijackin’ attack spotted in the wild by Huawei bods

Share this…

Adobe squeezes out one last batch of security fixes for 2015.

Adobe has issued new versions of Flash to patch a load of security flaws – one of which is being exploited in the wild.

Curiously, that particular vulnerability (CVE-2015-8651) was reported to the Photoshop giant by Kai Wang and Hunter Gao of Huawei’s IT security department. Could the Chinese tech goliath have caught miscreants trying to exploit the bug to infect its systems? Adobe said the flaw is being used “in limited, targeted attacks.”

People should upgrade their installation of Flash – whether on Windows, OS X, Linux or Chrome OS – as soon as possible before criminals start exploiting more of the bugs. Adobe normally emits security updates on the second Tuesday of the month, but has decided get this one out to folks early.

Patch now! Flash-exploitin' PC-hijackin' attack spotted in the wild by Huawei bods

All the programming blunders can be abused to execute code on victims’ computers – a stepping stone to fully hijacking vulnerable machines. An unpatched PC or Mac can be compromised by simply running a malicious Flash file on a webpage.

Here’s the rundown of the software’s 19 security flaws patched in the emergency APSB16-01 update:

  • A type confusion vulnerability that could lead to code execution (CVE-2015-8644). This was reported by Natalie Silvanovich of Google Project Zero.
  • An integer overflow vulnerability that could lead to code execution (CVE-2015-8651). This was reported by the aforementioned Huawei peeps.
  • Use-after-free() vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650). These were reported by Ben Hawkes, Mateusz “j00ru” Jurczyk, and Natalie Silvanovich of Google Project Zero; an anonymous researcher working with HP’s Zero Day Initiative; and Yuki Chen of the Qihoo 360 Vulcan Team.
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645). These were reported by Kai Kang of Tencent’s Xuanwu LAB; Jie Zeng of Qihoo 360; Hawkes, Jurczyk, and Silvanovich again; and Jaehun Jeong of WINS, WSEC Analysis Team working with the Chromium Vulnerability Reward Program.

If your Windows or Mac has Flash version or installed, then you are patched; likewise for version for Google Chrome, for Edge and Internet Explorer 11 on Windows 10; for IE 10 and 11 on Windows 8.x; and for Linux.

If you haven’t already enabled click-to-play for Flash in your browser – a healthy mitigation against future security bugs – now would be a good time as any. (Instructions for Google Chrome users are here, Firefox here, and Internet Explorer/Edge here.