Adobe patches Flash again, but not the flaws exploited at Pwn2Own
Posted on 13 March 2013.
As promised last year, Adobe has been issuing its scheduled Flash updates on the second Tuesday of each month - the same day that Microsoft chose for its monthly Patch Tuesday.

Yesterday's cumulative Flash update addressed vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system: an integer overflow vulnerability (CVE-2013-0646), a use-after-free and a heap buffer overflow vulnerability (CVE-2013-0650 and CVE-2013-1375, respectively) and a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

What is missing from the update is a patch for the three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) that the team from Vupen security chained together to exploit Adobe Flash on IE 9 on Windows 7 at the Pwn2Own competition held last week at the CanSecWest conference in Vancouver.

While a patch for them would have been welcome, its absence is not that surprising. The time frame between the two events is rather short, and even a well-oiled machine such as Microsoft hasn't managed to patch the two zero-days that the Vupen team exploited to achieve a full IE 10 on Windows 8 compromise with sandbox bypass in time for its regular Patch Tuesday.

Users who update their Flash manually can pick up the patched versions for Windows, Mac and Linux at Adobe's Plash Player official download page.









Spotlight

Review: Bulletproof SSL and TLS

Posted on 12 September 2014.  |  Deploying SSL or TLS in a secure way is a great challenge for system administrators. This book aims to simplify that challenge by offering extensive knowledge and good advice - all in one place.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 15th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //