Adobe Issues Update to Fix Zero-Day Flaw in Flash
Adobe has been keeping to a regular patch release cycle for its products, but this week that cycle was interrupted. On Tuesday, Feb. 4, Adobe issued an out-of-band security update to fix a zero-day flaw in its Adobe Flash player running on Windows, Mac and Linux operating systems.
Adobe warned in its advisory that the vulnerability is being exploited in the wild. According to the advisory, the vulnerability could potentially enable an attacker to take control of a system that is at risk.
The vulnerability has been formally identified as CVE-2014-0497 and is an integer underflow vulnerability that could enable arbitrary code execution. Adobe credits researchers Alexander Polyakov and Anton Ivanov from Kaspersky Labs for helping report the issue.
Systems that are at risk include Windows and Mac OS X users running Flash Player 220.127.116.11 and earlier. Linux users running Flash Player 18.104.22.168.335 and earlier are also at risk and need to update.
Flash deployments have changed in recent years and are no longer made up entirely of users manually downloading and updating Flash. Google Chrome users benefit from having Flash directly integrated with the browser. Chrome has an automatic update process that will be updating users to a new version of Chrome that includes the updated Flash component.
Microsoft's Internet Explorer 10 and 11 also both directly integrate Flash. New updates from Microsoft for both browsers will include the new patched version of Adobe's Flash Player.
Mozilla's Firefox and Apple's Safari Web browsers do not directly integrate Adobe's Flash Player. Users of those browsers can choose to manually download a new version of Flash from Adobe's site if needed. Many Adobe Flash Player users, however, are likely to also be automatically updated if they enable automatic updates in Flash, which is a user option.
The Flash zero-day update is a reminder why security professionals urge users to enable browser plug-ins only when necessary, Craig Young, security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT), said.
"It is important to note that browsers such as Chrome and Internet Explorer have Adobe's Flash technology baked in, making it necessary to explicitly disable it when not needed," Young said.
Although Adobe's Flash was once a top target for attackers and security researchers, Adobe has gone to great lengths in recent years to improve its security posture. In a video interview with eWEEK in 2013, Brad Arkin, chief security officer at Adobe, explained how security was overhauled with very positive results.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.