Out of Band Update for Flash

MS16-036 is a critical out of band update and resolves 20 vulnerabilities in Adobe Flash Player on all supported versions of Windows Server 2012, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows 10. 

This bulletin addresses vulnerabilities by updating the Adobe Flash libraries contained within all supported versions of Internet Explorer and Microsoft Edge. We recommend that this update be installed with the highest priority.

 

A successful attacker will exploit this vulnerability to gain Remote Code Execution giving them full access to the targeted device. The vulnerabilities can be exploited by redirecting users to malicious websites specifically set up for the purpose of attack using Search Engine Poisoning, hacking legitimate websites and email documents, PDF, Word etc. with malicious Flash content. 

 

This update, in my opinion, should be a business’s highest priority and therefore should be deployed with the utmost urgency. Flash exploits are increasingly becoming the vulnerability of choice, and with the wide spread use of the application, this means we are all exposed. My advice would be to uninstall Flash, Silverlight and Java browser extensions, and test to see if they are really necessary.

 

Microsoft published on Monday, March 7 that 14 vulnerabilities would be released in this month’s Patch Tuesday updates, but only 13 made it through. MS16-036 was held back at the last minute due to the discovery of CVE-2016-1010. The zero-day vulnerability was discovered by Anton Ivanov of Kaspersky Labs, but no additional details have been released.

 

In an e-mail, a Kaspersky representative wrote: “Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks. At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”

 

Should you have the need to install any language packs then this update will need to be reapplied, Verismic Software advises that any pending language pack installs are applied prior to installing MS16-036.

 

This security bulletin addresses the following vulnerabilities which are described in Adobe Security Bulletin APSB16-08: CVE-2015-8652, CVE-2015-8655, CVE-2015-8658, CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988, CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0993, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-1001, CVE-2016-1005, CVE-2016-1010

 

For further information, see Microsoft Knowledge Base Article 3144756.