April, 2016: Patch Monday: Active Attacks for Adobe Flash

Before you do anything, get rid of Quicktime. Click here to read my blog article about this threat.

Welcome to this April Patch Monday Bulletin. There are quite a bit of vulnerabilities patched this month for Adobe, Google and Oracle. There is a vulnerability in Adobe Flash that is being actively attacked this month (CVE-2016-1019) and should be the top priority. The exploitation of this vulnerability may result in denial of service or arbitrary code execution so it is important to test and roll this patch out as soon as possible. Adobe released patches for four other products that include Air, Analytics for Flash Library, RoboHelp Server and the Creative Cloud Desktop Application. If any of these products are in use then it is a good idea to test and apply these patches as well. Google released several stable updates to Chrome this month that remediate numerous vulnerabilities. Finally, this month is the second quarterly Oracle critical patch update. There were 9 vulnerabilities patched for Java this month in addition to the out of band patch for CVE-2016-0636 in March. If Java was not patched last month then the patch process for Java should be implemented following Flash. Take this month to review browser configurations that may mitigate flash exploits such as removing flash if it is not necessary or enabling click to play as opposed to running flash automatically.

Correlate application security events with all the other enterprise events

If your SIEM isn't getting the security events from Microsoft's enterprise applications, it is missing an important part of the story. SQL Server, Exchange and SharePoint audit logs are too important to be missing from your SIEM or log management solution. Find out more about how to audit these applications, and learn how to get their security audit event data into your SIEM.

Browse to www.logbinder.com/Solutions

Patch data provided by:




Product Version Affected

Date Released by Vendor

Vulnerability Info

Severity / Our Recommendation


Adobe Analytics for Flash Library

4.0 and earlier


Cross Site Scripting

Important: Priority 2/ Upgrade within 30 days


Adobe RoboHelp Server



Information Disclosure

Critical: Priority 2/ Upgrade within 30 days


Adobe Creative Cloud Desktop Application and earlier


Remote Arbitrary Read/Write

Important: Priority 2/ Upgrade within 30 days

Multiple CVE’s

Adobe Flash

Win/Mac and earlier

Win/Mac ESR and earlier
Linux and earlier


Arbitrary Code Execution, Denial of Service, Security Bypass

Critical: Priority 1/ Upgrade as soon as possible

Multiple CVE’s

Adobe Air

Win/Mac and earlier


Arbitrary Code Execution, Denial of Service, Security Bypass

Critical: Priority 3/ Upgrade at admin’s discretion

Multiple CVE’s

Google Chrome

Win Before 50.0.2661.87




Cross Site Scripting, Denial of Service, Security Bypass, Spoofing, Information Disclosure

Update as soon as possible

Multiple CVE’s

Oracle Java

Java SE 6u113, 7u99, 8u77


Multiple Remotely Exploitable Vulnerabilities

Update as soon as possible

Send me this chart next Patch Tuesday.
We will not share your address. Unsubscribe anytime.