Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Adobe Patches Critical Vulnerability Under Attack

Adobe Systems issued critical security updates today to address vulnerabilities in Adobe Flash Player – including one vulnerability that is under attack.

Adobe Systems issued critical security updates today to address vulnerabilities in Adobe Flash Player – including one vulnerability that is under attack.

That vulnerability, CVE-2014-0502, is a double free vulnerability that could result in arbitrary code execution. In addition to plugging that security hole, Adobe also issued patches for a stack overflow vulnerability and a memory leak issue not known to be under attack.

According to Adobe, the bugs affect Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. Like the double free issue, the stack overflow vulnerability can be exploited to remotely execute code.

In a blog post, researchers at FireEye explained that visitors to at least three non-profits – including two that focus on national security and public policy issues – were redirected to an exploit server hosting the zero-day exploit. The attack was identified Feb. 13. Visitors to the Peter G. Peterson Institute for International Economics (www.piie[.]com) were redirected to an exploit server hosting this Flash zero-day through a hidden iframe. Subsequently, the American Research Center in Egypt (www.arce[.]org) and the Smith Richardson Foundation (www.srf[.]org) also redirected visitors the exploit server.

“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit socio-cultural issues,” according to FireEye. “The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.”

“This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems,” the FireEye researchers continued in a blog post. “Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”

According to Qualys CTO, Wolfgang Kandek, in particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:

Advertisement. Scroll to continue reading.

– Windows XP (which does not have ASLR)

– Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits

– Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits

“Our recommendation is to update as quickly as possible,” Kandek said. “Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.”

The fix from Adobe comes a day after Microsoft released a Fix It tool to address attacks targeting a vulnerability in Internet Explorer. The issue impacts Internet Explorer versions 9 and 10, and Microsoft is urging users to upgrade to IE 11 to avoid attacks. 

*Updated with commentary from Qualys. Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...