Microsoft catches up to Valentine's Day Flash flaw massacre

Critical update deals with five ways to do remote code execution on Windows

Microsoft's popped out a Security Update for Adobe Flash.

Adobe did likewise last week, celebrating hackers' love for Flash by releasing it on Valentine's Day. That dump addressed no fewer than 13 CVEs that allowed code execution due to:

  • Type confusion vulnerability
  • Integer overflow vulnerability
  • Use-after-free vulnerabilities
  • Heap buffer overflow vulnerabilities
  • Memory corruption vulnerabilities

Microsoft's now caught up, issuing the Update to fix the mess on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

The attack succeeds by poisoning a malicious website. There's a list of mitigations here, but the bottom line is that if you blacklist Flash a few websites will misbehave but your attack surface will shrink appreciably.

This update is not a delayed release for February's Patch Tuesday, which Microsoft has delayed due to problems doing the job right. Windows admins can expect a patch deluge come mid-March.

Windows Update will retrieve the patches if you've set it to do so, or you can get them here. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019