Background
On April 5, 2016, a new zero-day vulnerability was announced for Adobe Flash Player versions 21.0.0.197 and earlier. Symantec reports that this vulnerability is being exploited in the wild. Adobe categorizes the severity of this vulnerability as Critical."
Impact
If successfully exploited, the vulnerability can result in a browser crash as well as the execution of exploit code to take over the computer.
Platforms Affected
- Flash Player 20.0.0.306 and earlier.
The vulnerability exists up to version 21.0.0.197. But starting with Flash Player 21.0.0.182, Adobe included a mitigation to prevent exploitation.
The first announcement from Adobe on April 5th only identified Windows 7 and XP as being vulnerable to this. Evidence gathered in the interim compelled them to expand that scope on April 6 to cover all versions of Windows 10 and earlier. Their April 8 security bulletin was further expanded to include "Windows, Macintosh, Linux, and ChromeOS". To date, security groups have reported observing only Windows computers being actively compromised by this vulnerability. However, Adobe's inclusion of non-Windows operating systems indicates that the vulnerability exists across platforms, therefore non-Windows users of Flash should also update immediately.
Local Observations
IU's Unified Device Management service will deploy Flash version 21.0.0.197 for member computers at 1:00 AM on April 9. As noted above, this version contains the vulnerability mitigation. The latest version - 21.0.0.213 - will be included in their regular 30-day update cycle.
When updates are made available, the University Information Policy Office (UIPO) will use the Secunia Corporate Software Inspector (CSI) to distribute the patch to systems configured to use IU's Microsoft Update Service.
Those managing systems that are not part of Unified Device Management, and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version for their platform's browsers. For most, that will be version 21.0.0.213. Refer to the Adobe Security Bulletin on this vulnerability for details.
Security groups around the Internet have reported exploits using this vulnerability have been delivering ransomware to its victims. The security company Proofpoint posted a dissection of an active exploit delivering the ransomware "Cerber". They also report observing "Locky" being delivered through this vulnerability. While reports exist of computers at IU being affected by ransomware, it cannot be determined whether any of them are due to this vulnerability or some other exploit.
UISO Recommendations
- Enable Flash click-to-play in your browser.
- Update Flash to the latest version.
- Consider disabling it altogether if possible.
Workarounds
Ensure that no version of Flash Player older than version 21.0.0.182 is installed on your machine(s).
Further Reading
- Adobe Security Advisory for Flash Player APSA16-01
- Adobe Security Bulletin for Flash Player APSB16-01
- Adobe Product Security Incident Response Team Blog
- ZDNet article: Adobe deploys emergency patch for Flash zero-day vulnerability
- Fireeye: "CVE-2016-1019: A new flash exploit included in Magnitude exploit kit."
- Proofpoint: "Killing a Zero-Day in the Egg: Adobe CVE-2016-1019."
- Sophos Threat Analyses Security advisory for Adobe Flash Player
- The "Common Vulnerabilities and Exposures" entry for this issue