Adobe Updates Flash to Fix Zero-Day Vulnerability
Adobe came out with an emergency update for its Flash Player software today, fixing a critical vulnerability that is already being exploited by attackers. The vulnerability is technically identified as CVE-2014-0515 and is a buffer overflow condition.
"Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform," Adobe warned in its advisory.
While Windows users are the only ones who have specifically been targeted so far, the vulnerability impacts Adobe Flash Player 220.127.116.11 and earlier versions on Microsoft Windows platforms, Adobe Flash Player 18.104.22.168 and earlier versions for Apple Macintosh OS X, and Adobe Flash Player 22.214.171.1240 and earlier versions for Linux.
Adobe credits Kaspersky Lab security researcher Alexander Polyakov with reporting the CVE-2014-0515 flaw. In a blog post, Kaspersky Lab expert Vyacheslav Zakorzhevsky wrote that the new Flash exploit was first detected using a generic heuristic signature on April 14.
Kaspersky Lab found the Flash exploit on a site that had become a watering hole for attacks. In a watering hole attack, a legitimate Website is infected with malware, which then in turns serves up the exploit to unsuspecting visitors. The waterhole site for the CVE-2014-0515 vulnerability is a site set up by the Syrian Ministry of Justice.
"We believe the attack was designed to target Syrian dissidents complaining about the government," Zakorzhevsky wrote.
While the total number of victims is not known, Zakorzhevsky noted that to date, Kaspersky products have detected approximately 30 infections. All of the infections occurred in Syria, and all of the users were using the Mozilla Firefox browser.
What's interesting to me about that is the simple fact that Firefox does not directly integrate Adobe Flash into the browser, which is something that both Microsoft Internet Explorer and Google Chrome now do. Integrated Flash updates with a browser might well mean that there is a greater chance that an IE or Chrome user will have a fully updated Flash version, since it's automatically included in browser updates. Yet the flaw that Kaspersky found is not an older, already patched flaw; it's a new vulnerability unpatched on any platform.
Google Chrome users will automatically be updated to the latest Adobe Flash Player, while Microsoft IE 10 and IE 11 users will get the update via the Microsoft Update Service. For users of older versions of IE, Mac OS X users and Mozilla Firefox users, there is an update that can be obtained via the Flash Player Download Center.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.