Security Experts:

Adobe Patches Critical Vulnerability Under Attack

Adobe Systems issued critical security updates today to address vulnerabilities in Adobe Flash Player - including one vulnerability that is under attack.

That vulnerability, CVE-2014-0502, is a double free vulnerability that could result in arbitrary code execution. In addition to plugging that security hole, Adobe also issued patches for a stack overflow vulnerability and a memory leak issue not known to be under attack.

According to Adobe, the bugs affect Adobe Flash Player and earlier versions for Windows and Macintosh and Adobe Flash Player and earlier versions for Linux. Like the double free issue, the stack overflow vulnerability can be exploited to remotely execute code.

In a blog post, researchers at FireEye explained that visitors to at least three non-profits - including two that focus on national security and public policy issues - were redirected to an exploit server hosting the zero-day exploit. The attack was identified Feb. 13. Visitors to the Peter G. Peterson Institute for International Economics (www.piie[.]com) were redirected to an exploit server hosting this Flash zero-day through a hidden iframe. Subsequently, the American Research Center in Egypt (www.arce[.]org) and the Smith Richardson Foundation (www.srf[.]org) also redirected visitors the exploit server.

"This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit socio-cultural issues," according to FireEye. "The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically."

"This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems," the FireEye researchers continued in a blog post. "Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term."

According to Qualys CTO, Wolfgang Kandek, in particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:

- Windows XP (which does not have ASLR)

- Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits

- Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits

"Our recommendation is to update as quickly as possible," Kandek said. "Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations."

The fix from Adobe comes a day after Microsoft released a Fix It tool to address attacks targeting a vulnerability in Internet Explorer. The issue impacts Internet Explorer versions 9 and 10, and Microsoft is urging users to upgrade to IE 11 to avoid attacks. 

*Updated with commentary from Qualys. Additional reporting by Mike Lennon
view counter