Hello, welcome to the Thursday, October 27th, 2016 edition of the Sanctonet Storm Center's

Stormcast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Adobe released an update for Flash today that patches one vulnerability CVE 2016-7855 that is already being exploited in the wild in some targeted attacks.

So that's why they went ahead and released this update outside of their normal patch schedule.

Now the vulnerability does affect all releases of Flash,

so it's Linux, OS10, and Windows, but so far it only has been exploited actually on Windows.

So please go ahead and update this as soon as you can. And of course, as always, review that you have Flash installed securely or not installed at all if you need it. One of the things to double check is that Flash only runs if the user actually enables it for a particular site,

because this is hardly the last flash exploit

that we are going to see.

And another point to own contest targeting mobile devices

just wrapped up revealing new exploits against iOS,

as well as against Android. In particular, against Android, it was possible

to install a malicious application without any user interaction and essentially root the phone

on iOS. The attackers also managed to install an application. However, it didn't survive reboot,

which, well, in hindsight, it isn't really all that bad, given that you typically don't reboot

your iPhone all the time. As targets, they use an iPhone 6S and Nexus 6P device, so relatively recent devices and they all had fully patched, recent

versions of the operating system installed.

Vulnerabilities used in these exploits have been revealed to respective vendors and we hopefully

will see patches for these vulnerabilities

shortly.

...