Adobe Patches Yet Another Flash Zero Day
Enterprise users have yet again been urged to uninstall Flash from their PCs after Adobe was forced to patch another zero-day vulnerability.
Bulletin APSB16-15 was released yesterday to fix 25 vulnerabilities in Flash, including CVE-2016-4117, for which an exploit already exists in the wild.
The firm said in a statement:
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”
The bulletin comes after Adobe released patches for over 90 other bugs in its regular monthly update round on Tuesday.
APSB16-15 covers vulnerabilities with a priority rating of either 1 or 3. They include code execution, use-after-free, heap buffer overflow, and memory corruption flaws, as well as a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Flash is one of the most commonly exploited pieces of software around, with exploits often being wrapped into one of the popular kits like Angler.
In fact, just last month Adobe was forced to issue an out-of-band update after reports circulated that hackers were taking advantage of CVE-2016-1019 to take control of users’ PCs.
This has led many security professionals to argue that IT security managers should simply ban the software from enterprise networks.
“Adobe flash is still found on way too many machines. It’s one of those programs that’s often not actually used as many vendors see it as a huge security problem,” argued Eset security specialist, Mark James.
“The program itself is one of many that users will leave on their machine without actually using it or understanding the security risk. As with all software these days you need to keep them on the latest versions or better still uninstall it if you don’t need it.”
Meanwhile, Jonathan Sander, VP product strategy at Lieberman Software, argued that only gamers should need Flash on their PC.
“If you’re strictly a business user who uses email, documents, and Web, then you could likely never want or need to install Flash,” he said.
“While a Flash vulnerability won’t be a direct path to critical data in most cases, if it allows a bad guy to get a foothold – it can be dangerous.”
Source: Information Security Magazine