Adobe has released yesterday an out-of-band update to fix a critical remote code-execution vulnerability CVE-2014-8439 in Flash Player that is being exploited in the wild.
Adobe has released an emergency patch to patch a critical remote code-execution vulnerability (CVE-2104-8439) affecting Flash Player that was already fixed last month (Adobe’s Oct. 14th), but that was exploited again. According to an Adobe Security Bulletin, the update implements a mitigating solution for the CVE-2104-8439 that affects the Adobe Flash and could be exploited by attackers to install malware.
The critical vulnerability in Flash Player for Windows, Mac and Linux was mitigated in October 14 for the first time, but the French researcher Kafeine discovered evidence of the exploits in the Angler, Astrum and Nuclear malware kits after Adobe released the patch. It is likely that the attackers were able to reverse-engineering the patch issued by Adobe and include it in commercial available exploits.
“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” Kafeine said in a blog post.
The Flash Player to the latest version of Windows and Apple’s Mac OS is 126.96.36.199, and the latest for Linux is 188.8.131.524, anyway it is possible to install the patch manually from Adobe. Timo Hirvonen, a senior researcher at F-Secure, confirmed that its company has received an exploit sample from Kaffeine and that they verified that the exploit was working despite the deployment of the Adobe fixed in October.
“We discovered the vulnerability while analyzing a Flash exploit from an exploit kit called Angler. We received the sample from Kafeine, a renowned exploit kit researcher. He asked us to identify the vulnerability which was successfully exploited with Flash Player 184.108.40.206 but not with 220.127.116.11. That would imply the vulnerability was something patched in APSB14-22. However, based on the information that we had received via Microsoft Active Protections Program the exploit didn’t match any of the vulnerabilities patched in APSB14-22 (CVE-2014-0558, CVE-2014-0564, or CVE-2014-0569).
We considered the possibility that maybe the latest patch prevented the exploit from working and the root cause of the vulnerability was still unfixed so we contacted the Adobe Product Security Incident Response Team.” reported F-Secure in a blog post.
Users can install the new update from Adobe Flash Player Download Center, or using the automated update requested by the Adobe solution.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.