Adobe has released an out-of-band security patch for Flash Player to fix a critical zero-day vulnerability that is being exploited in the wild. The vulnerability allows attackers to remotely take control of the affected system. Once they have control the attackers can install malware and recruit the affected PC into a botnet. Adobe was forced into issuing an immediate patch to the problem as an exploit for this vulnerability exists in the wild and is being used by attackers. Adobe recommends that users update Flash Player on their PCs immediately.
Because of an Integer underflow, that is present in Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 18.104.22.168 on Windows and Mac OS X, and before 22.214.171.1246 on Linux, remote attackers can execute arbitrary code on a victim’s PC. However Adobe did not include any details about how the vulnerability is being exploited.
Adobe did however thank two researchers from Kaspersky Lab for reporting the vulnerability. There is speculation that the vulnerability could be related to “The Mask” an Advanced Persistent Threat (APT) that a Kaspersky Lab Expert wrote about recently. The Kaspersky post references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky says it will present more about during the next week at the Kaspersky Security Analyst Summit 2014.
In response to Adobe’s update Google has released Chrome 32.0.1700.107 for Windows, Mac and Linux with an updated version of the embedded Flash Player. Microsoft likewise has updated Internet Explorer 10 and 11 on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
Apple has released an update to its web plug-in blocking mechanism to disable all versions prior to Flash Player 126.96.36.199. If OS X users try to view Flash content in Safari they will see a “Blocked Plug-in” alert unless they have updated to the latest version of Flash Player.