The critical vulnerability (CVE 2014-8439)
in Flash Player for Windows, Mac and Linux was originally mitigated more than a month ago in October 14, 2014 patch release, but a French researcher Kafeine
found its exploits in the Angler and Nuclear malware kits
after Adobe released a patch, according to security vendor F-Secure.
“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” Kafeine said in a blog post.
The vulnerability allows an attacker to execute arbitrary code due to a weakness in the way a dereferenced pointer to memory is handled. An attacker could serve a specially crafted Flash file to trigger the vulnerability, which would lead to the execution of attacker’s code in order to take control of a target system.
Adobe rated the vulnerability as critical and recommended users and administrators to update their software on Windows, Mac OS X and Linux systems to the latest iteration as soon as possible.
“We considered the possibility that maybe the latest patch [from October] prevented the exploit from working and the root cause of the vulnerability was still unfixed, so we contacted the Adobe Product Security Incident Response Team,” Timo Hirvonen, a senior researcher at F-Secure, wrote on Tuesday.
“They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution.”
According to the recent security bulletin
, Adobe has released the latest update for its Flash plugin, version 220.127.116.11 for Windows and Mactintosh users, version 18.104.22.1688 for those that use the Adobe Flash Player
Extended Support Release, and version 22.214.171.1244 for Linux users.
Microsoft will soon be releasing security updates for Internet Explorer 10 and 11 and Google will be releasing for Chrome to fix the Flash Players embedded in them.
This will be Adobe’s second attempt to snap shut this particular security vulnerability in Flash, and the company said the updates for the Windows, Linux and Apple OS X versions of Flash Player will “provide additional hardening” against the previous CVE-2014-8439 flaw that was patched in the past.
In order to know the version of Flash Player you are running currently, visit the About Flash Player
page. Users can update the latest iterations from Adobe Flash Player Download
Center, or via the update mechanism within the product when prompted.