On April 5, 2016, Adobe released security advisory APSA16-01 (CVE number: CVE-2016-1019) for a vulnerability in the Adobe Flash Player . The vulnerability affects the player on Microsoft Windows, Apple OS X, Linux, and Google's Chrome OS. The vulnerability affects all versions of Windows from Windows 10 backwards through Windows XP. The vulnerability exists in Adobe Flash Player 21.0.0.197 and earlier versions. The vulnerability is currently being exploited "in the wild", i.e., malefactors are already taking advantage of the vulnerability to compromise vulnerable systems. The vulnerability allows malefactors to crash a system and even potentially gain remote control of the system. The vulnerability is being used by the Magnitude Exploit Kit to spread Locky ransomware - see Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player.
A software change Adobe made in version 21.0.0.182 will prevent the exploit from being successful, so users who have at least that version should be safe from the exploit allowing their systems to be compromised, since on versions 21.0.0.182 and 21.0.0.197, it will only cause a crash1. But I would advise users to upgrade to the current version of the Adobe Flash Player, which is version 21.0.0.213. If you use multiple web browsers on a system, you should ensure that each of them have the latest version of an Adobe Flash Player plug-in, if you have Adobe Flash Player support installed for the browser. You can check the version of the Flash Player being used by a browser by visiting Adobe's www.adobe.com/software/flash/about/ page. Alternate methods for checking the version of the Flash Player on Apple OS X systems can be found at Determining the version of Adobe Flash on an OS X system.
References:
-
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting
CVE-2016-1019 in Older Versions of Adobe Flash Player
Posted: APril 7, 2016
Simply Security News, Views and Opinions from Trend Micro, Inc -
A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack
Posted: April 8, 2016
Simply Security News, Views and Opinions from Trend Micro, Inc