Adobe Updates for Zero-Day Risk, Handles Emergency
Adobe issued an unscheduled zero-day update for a security issue on Feb. 20 for its Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh, and Adobe Flash Player 188.8.131.526 and earlier versions for Linux.
"These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe warned in its advisory.
In total, the Adobe update is fixing three identified common vulnerabilities and exposures (CVEs). Adobe noted that only one of them (CVE-2014-0502) is actively being exploited in the wild.
According the National Vulnerability Database information on CVE-2014-0502, the flaw has the highest possible score for impact and exploitability, which basically means it's a real and present danger.
Security vendor FireEye claimed in a blog post that it first became aware of CVE-2014-0502 on Feb. 13. FireEye noted that the Peter G. Peterson Institute for International Economics as well as the American Research Center in Egypt and the Smith Richardson Foundation were all redirecting visitors to a server hosting the CVE-2014-0502 exploit.
"All three organizations are nonprofit institutions; the Peterson Institute and Smith Richardson Foundation engage in national security and public policy issues," FireEye stated.
Make no mistake about it. This is serious, but the way Adobe handles itself today and the way that zero-day flaws are addressed is exemplary in my professional opinion.
Not long ago, one of the easiest stories I got to write was an Adobe zero-day exploit story. They used to happen with such frequency that I had a template ready to go where I could just swap in the date, and I kept a running count of zero-day flaws. Some researcher would find a flaw, and then it would be actively exploited for a time and then eventually patched.
I don't write that type of story anymore, and this new zero-day is a good example of how much Adobe security has improved in recent years. Adobe has gone to great lengths to secure Flash, which has helped. There are few zero-day exploits like this one that occur now, and it seems that when they do, they are addressed rapidly.
Part of this particular success story has to do with the proper and responsible disclosure policies at FireEye, too. They did first find a flaw Feb. 13, and Adobe didn't actually patch it until Feb. 20. However, there wasn't the same kind of panic of past years, when researchers didn't have the same relationship with Adobe, and zero-day flaws were publicly announced before Adobe could address them.
The other big thing that has changed here is the window of exploitability. In the past, whenever there was a big Adobe zero-day update, it was incumbent on individual users to make sure they update on their own. In 2014, Flash is directly integrated into the Google Chrome and Microsoft Internet Explorer (IE) 10 and 11 browsers. Automatic updates from Google and Microsoft should by now have already updated and secured users.
For users of other browsers, Adobe has had a stand-alone silent update since 2012. So for you users that enabled that silent update, they also have already been automatically updated and secured.
In contrast, there is the Microsoft IE zero-day flaw that is now being exploited in the wild a week after I first reported on it, for which there is not an automated fix (yet). Yes, Microsoft has issued a "fix-it" temporary fix for the issue, but it's not a full patch and not automatically deployed like the Adobe fix.
Zero-day flaws aren't likely to ever entirely be erased, but it's great to see how much progress Adobe has made in minimizing the risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.