Jump to content
Aerosol

Adobe Releases Emergency Flash Player Patch

Recommended Posts

Posted

adobe_patch-680x400.jpg

Adobe today revised a security bulletin it released more than a month ago, adding a patch for a code-execution vulnerability in Flash Player already included in some exploit kits.

French researcher Kafeine found the exploits in the Angler and Nuclear kits less than a week after Adobe released an update Oct. 14.

The update addressed three CVEs, all of which could lead to memory corruption or integer overflows, enabling attackers to remotely load and execute code on the compromised computer. Today’s patch adds CVE-2014-8439, reported by Kafeine to Adobe.

“These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution,” Adobe said today in its advisory.

Fiesta and Angler are used to compromise vulnerable websites and redirect site visitors to sites hosting banking malware, malvertising schemes and other attacks. Flash Player bugs are among the most common vulnerabilities exploited by such kits, as well as Java and Microsoft Silverlight vulnerabilities.

The inclusion of the Oct. 14 CVEs in the exploit kits was worrisome to Kafeine, who does extensive research into these attack tools, noting that an attacker likely found a way to reverse-engineer the Adobe patch in order to drop it in the EK inside of a week.

Kafeine said that the Adobe patches released on Oct. 14 likely protected users from the active exploits, but the vulnerability remained exposed to future exploit development.

Today’s update moves Flash Player to version 15.0.0.239 for Windows and Macintosh users, and 11.2.202.424 for Linux users. Chrome and Internet Explorer users will be updated automatically by Google and Microsoft respectively.

Another Adobe exploit in Angler was reported last week, also by Kafeine.

This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers.

“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” he said in a blog post.

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...