New zero-day vulnerabilities in Adobe Flash and Windows are being actively exploited in the wild.
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. The Adobe flaw is a use-after-free vulnerability that could lead to code execution (CVE-2016-7855).
“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” Adobe said in its security bulletin.
The Google security group reported the flaws to Adobe and Microsoft back on Oct. 21, and while Adobe updated Flash to address the issue, Microsoft has yet to push a patch.
“We are…disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” Google said in its blog. “This vulnerability is particularly serious because we know it is being actively exploited.”
The Adobe update is available via Adobe's updater and via the Chrome auto-update; Chrome's sandbox now blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability. “The flaw can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” the Google team reported.
Users should verify that auto-updaters have already updated Flash—and to manually update if not—and to apply Windows patches from Microsoft when they become available for the Windows vulnerability.
Photo © Stanislaw Mikulski/Shutterstock.com