Adobe patches Flash zero day under attack

Adobe has released fixes for six security vulnerabilities in Flash, which includes one that is reportedly under attack, as well as fixes for 20 flaws in Reader and Acrobat.

All six fixes are for “critical” vulnerabilities in Flash Player for Windows, Mac and Linux, which Adobe said “could potentially allow an attacker to take control of the affected system.”

Adobe said it is aware of reports of attacks exploiting the flaw CVE-2014-9163, discovered by the researcher ‘bilou’, who reported the bug through HP’s Zero Day Initiative (ZDI).

The December scheduled fixes follow an “out of band” patch for Flash in late November, which hardened a fix for a flaw originally addressed in October. Researchers suspected it had been integrated into exploit kits.

Affected versions of Flash include 15.0.0.242 and earlier, 13.0.0.258 and earlier 13.x versions, and 11.2.202.424 and earlier versions for Linux. According to Adobe, users who have been updated to version 15.0.0.246 are not affected by CVE-2014-9163.

Windows and Mac users with Flash Player for the desktop should update to version 16.0.0.235, while those on Flash extended support release should update to 13.0.0.259. Linux users should update to 11.2.202.425, while the Flash plugin installed with Chrome and Internet Explorer on Windows 8.x will automatically update to the current version.

Adobe also released fixes for 20 vulnerabilities affecting both Reader and Acrobat “that could potentially allow an attacker to take over the affected system”, according to the company.

Half of the flaws fixed in this update were reported to Adobe by Google’s Project Zero team, including one recently detailed by James Forshaw even though it wasn't technically fixed.

The vulnerability (CVE-2014-9150) was a Windows Acrobat Reader 11 Sandbox Escape in MoveFileEx. Google published details of the bug on November 26, including exploit code, in accordance with its policy to disclose bugs 90 days after reporting it to the vendor.

Despite the bug not being fixed, Forshaw noted that it was “difficult if not impossible to exploit” due to additional defences Adobe applied to the product in version 11.0.09 (released in November’s update), which addressed a similar sandbox escape affecting Acrobat and Reader on Windows.

Users of Reader XI or Acrobat XI version 11.0.09 should update to 11.0.10 for both products. Users of Reader X and Acrobat X, version 10.1.12, should update to 10.1.13.

Finally, Adobe released hotfixes for ColdFusion versions 11 and 10 that address a “resource consumption issue that could potentially result in a denial of service”. ColdFision 9.x versions are not affected.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Tags Enex TestLabadobeattacksInternet Explorerchromeattackflash playeracrobatreaderCSO AustraliaFlash 15.0.0.242Adobe updates

Show Comments