Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Flash 0-Day: Deciphering CVEs and Understanding Patches InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Flash 0-Day: Deciphering CVEs and Understanding Patches

Published: 2015-01-23
Last Updated: 2015-01-25 02:30:43 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

(updated with Jan 24th update)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version  Currently Used in Attacks Advisory
CVE-2014-8440 15.0.0.223 (Nov. 2014) yes APSB14-24
several 16.0.0.257 (mid Jan 2015) yes. APSB15-01
CVE-2015-0310 16.0.0.287 (late Jan 2015) yes APSB15-02
CVE-2015-0311 16.0.0.296 (Jan 24th 2015) yes APSA15-01

So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: flash
9 comment(s)
Diary Archives