Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   Live Now

   https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658

   "Adobe tomorrow [TODAY] is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team.

   The controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents, including internal emails and customer invoices, were leaked. The published loot shows sales to oppressive governments, a practice the company’s marketing material says it did not engage in."

   "Adobe’s advisory, published a short time ago, is short on details other than to say that the vulnerability has likely been publicly exploited. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.

   “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” said the Adobe advisory. The vulnerability was reported to Adobe by researcher Morgan Marquis-Boire and Google Project Zero. Marquis-Boire and Adobe confirmed to Threatpost that the patch will address the Hacking Team zero day."
   

   
   http://www.adobe.com/software/flash/about/
   https://www.adobe.com/products/flashplayer/distribution3.html

   Posted 9 years ago #
2. 

   Suze
   Member

   Many thanks, mikiem2! I had a notice to update Flash Player this morning, and wondered why, especially since there was another update only a couple of weeks ago.

   Posted 9 years ago #
3. 

   mikiem2
   Moderator

   Unfortunately that's not all of the nasty stuff found when they posted the files from the Hacking Team breach. There's also an unpatched Windows vulnerability...

   http://www.kb.cert.org/vuls/id/103336
   

   
   Overview

   The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain SYSTEM privileges on an affected Windows system.
   Description

   Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Although not related to this specific vulnerability, the j00ru//vx tech blog has details about the Adobe Type Manager Font Driver.

   Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.
   Impact

   This vulnerability can allow an attacker to gain SYSTEM privileges on an affected Windows system. This can be used to bypass web browser and other OS-level sandboxing and protections.
   Solution

   The CERT/CC is currently unaware of a practical solution to this problem.

   Posted 9 years ago #
4. 

   Suze
   Member

   At least you're able to install the update! I have tried, both on Firefox and on IE 11, and keep getting the same error:

   "An error has occurred in the script on this page

   Line: 202
   Char: 13
   Error: Unable to set property 'innerHTML' of undefined or null reference
   Code: 0
   URL: res://C:\Users\Sue\Desktop\flashplayer18_ha_install.exe/160"

   This is the first time I've ever encountered an error installing Flash Player . . .

   Update: I went to the FP Forum - others had similar problems. The recommendation was to go here https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html. At the bottom of the page are the OFFLINE installers. Download the one(s) you need. Then make sure all browsers are closed before installing it/them.

   This worked for me for both IE 11 and FF 33.

   Posted 9 years ago #
5. 

   mikiem2
   Moderator

   Very glad it worked!

   That sort of thing used to bedevil me in XP, but knock wood, haven't had too many problems since. We've got one Vista install [with loads of games so my wife keeps it] that we have to use the complete installer on, but so far [again knock wood] that's about it.

   Posted 9 years ago #
6. 

   Suze
   Member

   You and me both ;-)

   At least there's a good alternative in case there are any installation problems.

   Posted 9 years ago #
7. 

   Whiterabbit-uk
   Games Guru

   Thanks Mikiem

   Posted 9 years ago #

RSS feed for this topic

Reply

You must log in to post.