Adobe issued an out-of-band patch update on Nov. 25 for a vulnerability identified as CVE-2014-8439, which impacts the Adobe Flash Player.
Typically, an out-of-band patch update is a rare event that is reserved for severe and risky zero-day flaws, but that’s not quite what is going on with the new Adobe update. The CVE-2014-8439 vulnerability was actually first mitigated during Adobe’s regular patch Tuesday update on Oct. 14.
Adobe spokesperson, Heather Edell told eWEEK that that October update included a proactive mitigation, which typically is not assigned a common vulnerabilities and exploits, or CVE, number.
“We were later notified that there was an attack in the wild, and we identified that the proactive mitigation was blocking this attack,” Edell said. “Since there was a specific attack in this area, we added further mitigations in today’s release.”
The actual CVE-2014-8439 vulnerability is what Adobe’s advisory describes as a “de-referenced memory pointer that could lead to code execution.”
Though Adobe has now issued further mitigations for CVE-2014-8439, it’s not because any attacks were actually able to bypass the protection that Adobe provided in the October update.
“Out of an abundance of caution, we are releasing further changes that strengthen the mitigation against potential variants,” Edell said. “That said, we are not aware of any attacks, in the wild or otherwise, that can bypass the October mitigation.”
In my view, this is truly a dramatic turnaround for Adobe, in contrast to the way it used to deal with security. Back in 2009, Adobe was largely a reactive company when it came to security, dealing with what seemed like an endless stream of zero-day vulnerabilities with active exploits in the wild.
The Nov. 25 out-of-band update, in contrast, is a remarkably proactive effort to protect users.
In a 2013 video interview I did with Adobe Chief Security Officer Brad Arkin, he explained to me how Adobe made security a core principle of the entire company’s development efforts.
It’s an effort that is clearly working today.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.