Adobe on Wednesday released Vulnerability-related.PatchVulnerability several unscheduled fixes for Flash Player , including a critical vulnerability that it said is being exploited Vulnerability-related.DiscoverVulnerability in the wild . The critical vulnerability , CVE-2018-15982 , is a use-after-free flaw enabling arbitrary code-execution in Flash . “ Adobe has released Vulnerability-related.PatchVulnerability security updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS , ” Adobe said in its release Vulnerability-related.PatchVulnerability . “ These updates address Vulnerability-related.PatchVulnerability one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer . Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively. ” The flaw was discovered Vulnerability-related.DiscoverVulnerability by Chenming Xu and Ed Miles of Gigamon ATR . Researchers also outlined Vulnerability-related.DiscoverVulnerability the further technical details about the exploit of the vulnerability . Impacted Vulnerability-related.DiscoverVulnerability is Adobe Flash Player Desktop Runtime , Adobe Flash Player for Google Chrome ; Adobe Flash Player for Microsoft Edge and Internet Explorer 11 ; all for versions 31.0.0.153 and earlier . Adobe Flash Player Installer versions 31.0.0.108 and earlier is also affected Vulnerability-related.DiscoverVulnerability . Users of these impacted products can update Vulnerability-related.PatchVulnerability to version 32.0.0.101 , according to Adobe . Users of Adobe Flash Player Installer can update Vulnerability-related.PatchVulnerability to version 31.0.0.122 . Adobe also patched Vulnerability-related.PatchVulnerability an important-rated insecure library loading ( via DLL hijacking ) vulnerability , CVE-2018-15983 , that could lead to privilege escalation via Adobe Flash . This is only the latest exploit to hit Adobe Flash – earlier in June , a zero-day Flash vulnerability was is being exploited Vulnerability-related.DiscoverVulnerability in the wild in targeted attacks against Windows users in the Middle East , according to researchers . Adobe dealt with another zero-day Flash vulnerability back in February , which was exploited Vulnerability-related.DiscoverVulnerability by North Korean hackers .

Airmail has issued Vulnerability-related.PatchVulnerability an update today to patch Vulnerability-related.PatchVulnerability a vulnerability that security researchers said Vulnerability-related.DiscoverVulnerability could let malicious third parties access email databases and read a user ’ s messages . Security consulting firm Versprite outlined Vulnerability-related.DiscoverVulnerability the issue in a blog post this morning , noting how Airmail 3 uses both a custom URL scheme and a so-called “ deterministic ” file system location for email messages for any given account . Using those two pieces of information , a hacker could theoretically retrieve Attack.Databreach every one of a user ’ s messages through a phishing scheme Attack.Phishing that relies on that custom URL scheme . Airmail told The Verge that it ’ s already updated Vulnerability-related.PatchVulnerability the app in the Mac App store and through its direct download beta program to address Vulnerability-related.PatchVulnerability the issue , calling it a “ very hypothetical ” one . The version number is Airmail 3.6 , and it should be rolling out Vulnerability-related.PatchVulnerability over the course of the day if you don ’ t already have it now . The update is also listed on Airmail ’ s website , with the update note , “ Potential URL Scheme Vulnerability Fix . ”

In a disclosure Vulnerability-related.DiscoverVulnerability on March 27 that included their own simple Python proof-of-concept , the researchers outlined Vulnerability-related.DiscoverVulnerability the “ buffer overflow in the ScStoragePathFromUrl function in the WebDAV service ” when an attacker sends an overlong IF header request as part of a PROPFIND request ( if that sounds obscure you can read about WebDAV here ) . Designated Vulnerability-related.DiscoverVulnerability CVE-2017-7269 , that ’ s bad news , but the fact that it has been known Vulnerability-related.DiscoverVulnerability about for months – with new exploits now likely – is the main takeaway . Given that IIS 6.0 shipped with Windows Server 2003 R2 in 2005 and Microsoft stopped supporting it after the end of life deadline passed in July 2015 ( ie no more patches ) , one might assume that the install base is small . More likely , this is another version of the Windows XP situation where organisations find it hard to wean themselves off core software and end up putting themselves at risk . In 2015 , research from analysts RiskIQ found 2,675 installs of IIS 6.0 inside 24 of the top FTSE-100 UK companies alone . Incredibly , the same analysis found 417 installs of IIS 5.0 in the same companies , which at that time was a year beyond extended support death . Shodan estimates 600,000 machines still visibly running this software globally , perhaps 10 % of which have the PROPFIND extension running according to an analysis by one enterprising researcher . Nobody knows , but with Microsoft unlikely to step in Vulnerability-related.PatchVulnerability with a fix , it could be more than enough to cause problems . The premium fix is to stop using IIS 6.0 immediately but for anyone who finds that difficult there is one hope : guerrilla patching Vulnerability-related.PatchVulnerability . We discussed this phenomenon in our recent coverage of Google ’ s “ Operation Rosehub ” , but it can be summed up by the simple idea that if the vendor in whose software a vulnerability has arisen can ’ t or won ’ t fix Vulnerability-related.PatchVulnerability the issue then someone else does it for them . A company called Acros Security dubbed this the “ 0patch ” and , lo and behold , has come up Vulnerability-related.PatchVulnerability with a “ micro-patch ” for CVE-2017-7269 . We can ’ t vouch for this but Acros explains how developed this in some detail for anyone staring down the barrel of limited options . What the latest episode challenges is the fixed idea of software lifecycles according to big software vendors , which runs something like “ we ’ ve told them in advance that support will be removed by a given date so if they don ’ t follow our advice and upgrade then that ’ s their lookout ” . The near debacle of XP ’ s zombie afterlife was an example of this MO running aground on the rocks of business reality , beside which the latest IIS 6.0 event might look modest . But an unpatchable zero-day affecting Vulnerability-related.DiscoverVulnerability hundreds of thousands of compromised web servers won ’ t be fun for anyone – Microsoft included