Patch now! Flash-exploitin' PC-hijackin' attack spotted in the wild by Huawei bods

Adobe squeezes out one last batch of security fixes for 2015


Adobe has issued new versions of Flash to patch a load of security flaws – one of which is being exploited in the wild.

Curiously, that particular vulnerability (CVE-2015-8651) was reported to the Photoshop giant by Kai Wang and Hunter Gao of Huawei's IT security department. Could the Chinese tech goliath have caught miscreants trying to exploit the bug to infect its systems? Adobe said the flaw is being used "in limited, targeted attacks."

People should upgrade their installation of Flash – whether on Windows, OS X, Linux or Chrome OS – as soon as possible before criminals start exploiting more of the bugs. Adobe normally emits security updates on the second Tuesday of the month, but has decided get this one out to folks early.

All the programming blunders can be abused to execute code on victims' computers – a stepping stone to fully hijacking vulnerable machines. An unpatched PC or Mac can be compromised by simply running a malicious Flash file on a webpage.

Here's the rundown of the software's 19 security flaws patched in the emergency APSB16-01 update:

  • A type confusion vulnerability that could lead to code execution (CVE-2015-8644). This was reported by Natalie Silvanovich of Google Project Zero.
  • An integer overflow vulnerability that could lead to code execution (CVE-2015-8651). This was reported by the aforementioned Huawei peeps.
  • Use-after-free() vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650). These were reported by Ben Hawkes, Mateusz "j00ru" Jurczyk, and Natalie Silvanovich of Google Project Zero; an anonymous researcher working with HP's Zero Day Initiative; and Yuki Chen of the Qihoo 360 Vulcan Team.
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645). These were reported by Kai Kang of Tencent's Xuanwu LAB; Jie Zeng of Qihoo 360; Hawkes, Jurczyk, and Silvanovich again; and Jaehun Jeong of WINS, WSEC Analysis Team working with the Chromium Vulnerability Reward Program.

If your Windows or Mac has Flash version 20.0.0.267 or 18.0.0.324 installed, then you are patched; likewise for version 20.0.0.267 for Google Chrome, 20.0.0.267 for Edge and Internet Explorer 11 on Windows 10; 20.0.0.267 for IE 10 and 11 on Windows 8.x; and 11.2.202.559 for Linux.

If you haven't already enabled click-to-play for Flash in your browser – a healthy mitigation against future security bugs – now would be a good time as any. (Instructions for Google Chrome users are here, Firefox here, and Internet Explorer/Edge here.) ®

Similar topics


Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022