Adobe patches Flash again, but not the flaws exploited at Pwn2Own
Posted on 13 March 2013.
As promised last year, Adobe has been issuing its scheduled Flash updates on the second Tuesday of each month - the same day that Microsoft chose for its monthly Patch Tuesday.

Yesterday's cumulative Flash update addressed vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system: an integer overflow vulnerability (CVE-2013-0646), a use-after-free and a heap buffer overflow vulnerability (CVE-2013-0650 and CVE-2013-1375, respectively) and a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

What is missing from the update is a patch for the three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) that the team from Vupen security chained together to exploit Adobe Flash on IE 9 on Windows 7 at the Pwn2Own competition held last week at the CanSecWest conference in Vancouver.

While a patch for them would have been welcome, its absence is not that surprising. The time frame between the two events is rather short, and even a well-oiled machine such as Microsoft hasn't managed to patch the two zero-days that the Vupen team exploited to achieve a full IE 10 on Windows 8 compromise with sandbox bypass in time for its regular Patch Tuesday.

Users who update their Flash manually can pick up the patched versions for Windows, Mac and Linux at Adobe's Plash Player official download page.


The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Oct 31st