Adobe plugs critical vulnerability in Flash with emergency update

— 12:36 PM on October 16, 2015

Flash users, it's time to update the plugin ASAP. Adobe has today issued an emergency security update to patch a critical vulnerability, just three days after the last update. Adobe says the vulnerability could potentially give an attacker control of an affected system.

This update will bring the Flash NPAPI plugin up to version on Windows and OS X clients. Chrome and Edge will automatically update themselves with the latest plugins for those browsers, according to the security bulletin.

Peter Pi of Trend Micro says this vulnerability could allow attackers to get around mitigation techniques that Adobe and Google created together if it's left unpatched. His blog post about the vulnerability gets into great detail. The basic idea is that the definition of a ByteArray in Adobe's Actionscript programming language isn't protected by these mitigation techniques. A piece of malicious code can be turned loose by using an externalizable object to set the length attribute of a ByteArray to 0xfffffff6. 

According to Trend Micro, the most recent zero-day attack is probably part of an ongoing campaign against the United States and other NATO members. The spate of Java and Flash vulnerabilities discovered from the Hacking Team leak were also used by this campaign, which has been dubbed Pawn Storm. While the attacks have had a limited scope, it seems that it's just a matter of time before more attackers exploit these vulnerabilities now that they're out in the open. Be sure to update Flash, or even better, just disable it if you can.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.