Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Adobe Patches Critical Vulnerability Under Attack

Adobe Systems issued critical security updates today to address vulnerabilities in Adobe Flash Player – including one vulnerability that is under attack.

Adobe Systems issued critical security updates today to address vulnerabilities in Adobe Flash Player – including one vulnerability that is under attack.

That vulnerability, CVE-2014-0502, is a double free vulnerability that could result in arbitrary code execution. In addition to plugging that security hole, Adobe also issued patches for a stack overflow vulnerability and a memory leak issue not known to be under attack.

According to Adobe, the bugs affect Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. Like the double free issue, the stack overflow vulnerability can be exploited to remotely execute code.

In a blog post, researchers at FireEye explained that visitors to at least three non-profits – including two that focus on national security and public policy issues – were redirected to an exploit server hosting the zero-day exploit. The attack was identified Feb. 13. Visitors to the Peter G. Peterson Institute for International Economics (www.piie[.]com) were redirected to an exploit server hosting this Flash zero-day through a hidden iframe. Subsequently, the American Research Center in Egypt (www.arce[.]org) and the Smith Richardson Foundation (www.srf[.]org) also redirected visitors the exploit server.

“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit socio-cultural issues,” according to FireEye. “The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.”

“This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems,” the FireEye researchers continued in a blog post. “Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”

According to Qualys CTO, Wolfgang Kandek, in particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:

– Windows XP (which does not have ASLR)

Advertisement. Scroll to continue reading.

– Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits

– Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits

“Our recommendation is to update as quickly as possible,” Kandek said. “Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.”

The fix from Adobe comes a day after Microsoft released a Fix It tool to address attacks targeting a vulnerability in Internet Explorer. The issue impacts Internet Explorer versions 9 and 10, and Microsoft is urging users to upgrade to IE 11 to avoid attacks. 

*Updated with commentary from Qualys. Additional reporting by Mike Lennon
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.