Adobe urges users to implement critical out-of-band Flash Player update
For the second time in a month, Adobe has issued a security update for Flash Player. This out-of-band update finally fixes a critical vulnerability that could be misused by remote attackers to take control of an affected system.
Mitigation for the flaw (CVE-2014-8439) has initially been pushed out on October 14, and the updates released on Tuesday provide additional hardening against it.
Sébastien Duquette of ESET, Timo Hirvonen of F-Secure and the researcher that goes by the handle Kafeine have been credited with the vulnerability’s discovery.
“We discovered the vulnerability while analyzing a Flash exploit from an exploit kit called Angler. We received the sample from Kafeine, a renowned exploit kit researcher. He asked us to identify the vulnerability which was successfully exploited with Flash Player 15.0.0.152 but not with 15.0.0.189. That would imply the vulnerability was something patched in APSB14-22. However, based on the information that we had received via Microsoft Active Protections Program the exploit didn’t match any of the vulnerabilities patched in APSB14-22 (CVE-2014-0558, CVE-2014-0564, or CVE-2014-0569),” Timo Hirvonen explained the fixing process in a blog post.
“We considered the possibility that maybe the latest patch prevented the exploit from working and the root cause of the vulnerability was still unfixed so we contacted the Adobe Product Security Incident Response Team. They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution, CVE-2014-8439.”
“Kafeine reported Angler exploiting this vulnerability already in October 21st 2014, soon followed by Astrum and Nuclear exploit kits. Considering the exploit kit authors reverse engineered October’s Flash update in two days, installing the update immediately is paramount, whether you do it manually or automatically,” he urged users.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux (you can get them here). Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x will be automatically updated to the current version.