|
Adobe issued a security advisory yesterday about a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 21.0.0.197 and earlier. The vulnerability affects all OSes (Windows, Mac, Linux and Chrome OS). As Adobe says, it “could cause a crash and potentially allow an attacker to take control of the affected system”. Well, strike that “ In any case, Adobe should release the patch tomorrow (7.4.) so patch as soon as you can to be sure that the vulnerability has been completely mitigated (and of course, use an addon such as NoScript). Adobe offers a handy web page to check which version you have currently installed at http://www.adobe.com/software/flash/about/, while the original advisory is available at https://helpx.adobe.com/security/products/flash-player/apsa16-01.html I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin |
Bojan 403 Posts ISC Handler Apr 6th 2016 |
| Thread locked Subscribe |
Apr 6th 2016 6 years ago |
|
My Citrix servers have version 21.0.0.197, which I thought was the latest.
|
Anonymous |
| Quote |
Apr 6th 2016 6 years ago |
|
I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit?
|
Anonymous |
| Quote |
Apr 6th 2016 6 years ago |
Quoting Anonymous:My Citrix servers have version 21.0.0.197, which I thought was the latest. According to Adobe's test page (link in the diary), 21.0.0.197 appears to be the latest version for some browsers, so that's probably what you're seeing - I should have made this more clear. In any case, from what I can tell, all version are vulnerable, but the exploit does not work against the latest two versions (for now). |
Bojan 403 Posts ISC Handler |
| Quote |
Apr 6th 2016 6 years ago |
Quoting Anonymous:I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit? Crossed my mind many times as well, but haven't played with it. I think this would be a great test to see if EMET blocks the exploit - hope we get some good news from our readers :) |
Bojan 403 Posts ISC Handler |
| Quote |
Apr 6th 2016 6 years ago |
|
We deployed EMET organization wide last year and with the latest version (5.5) we have not had any issues. I can tell you in a lab environment it has blocked several flash exploits. As with any security countermeasure you should have another layer so this along with your other protections is a nice addition.
|
Anonymous |
| Quote |
Apr 6th 2016 6 years ago |
|
I'm one week away from no more flash in IE. Just one GPO. Thank God the business doesn't need it for anything. So happy to get rid of it..
|
TuggDougins 37 Posts |
| Quote |
Apr 7th 2016 6 years ago |
|
Would EMET work in a defender / pentesters toolkit, it does generate event log entries that can be collected centrally.
hxxps://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262 "EMET will log this as an error message (EventID 2) and may, if configured to do so, display a pop-up notification to the end user. EMET however, does not have a centralized management console and a third-party log management solution should be used to collect these events." EMET 5.5 user guide hxxps://www.microsoft.com/en-us/download/confirmation.aspx?id=50802 also describes the option for configuring local telemetry: For troubleshooting purposes, we have added a “Local Telemetry” mode. When this mode is enabled, the information that would be sent through the “Early Warning” will be saved locally instead in a user-defined folder. To enable this mode, users need to create two entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET: LocalTelemetryPath (string): path where to save the information (i.e. c:\emet_local_telemetry) Optionally, you can create the following registry key to control what kind of MiniDump file to create: MiniDumpFlags (DWORD): 0x1ff (default value) More information on the possible flags are available at MSDN article hxxps://msdn.microsoft.com/library/windows/desktop/ms680519(v=vs.85).aspx. OK, zooming back out. Balancing the level of details in security work is HARD. |
dotBATman 70 Posts |
| Quote |
Apr 7th 2016 6 years ago |
|
CVE-2016-1019 is not the only vulnerability fixed in the current flash update: the [un]installers of previous versions load a bunch of Windows system DLLs from their application directory instead of the Windows system directory, see CVE-2016-1014
This weakness and bloody beginner's error is well-known as https://cwe.mitre.org/data/definitions/426.html, https://cwe.mitre.org/data/definitions/427.html and https://capec.mitre.org/data/definitions/471.html |
Anonymous |
| Quote |
Apr 7th 2016 6 years ago |
|
Did Microsoft update Flash? I do not see anything new after MS16-036.
Are waiting for (to be bundled in, let it fester until) the upcoming patch Tuesday? |
Paul Szabo 14 Posts |
| Quote |
Apr 8th 2016 6 years ago |
|
Microsoft did update Adobe Flash Player.
See: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+April+2016/20935/ |
Anonymous |
| Quote |
Apr 13th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
