Tuesday, February 4, 2014

Adobe Flash Critical Out-Of-Band Update;
A Zero-Day Exploit Is In The Wild.
Apple responds…

--

[Apple's response added in the Addendum below! 2014-02-05 1:10 AM]

Today, Adobe has pushed out a critical out-of-band (earlier than scheduled) update to Flash Player. (Apparently, Adobe AIR is not affected). The update is Adobe Flash Player v12.0.0.44.  If you are using Flash Player, please grab the update now:

http://get.adobe.com/flashplayer/

Adobe's security bulletin is here:

http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.

Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions.
. . .
Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions.
. . .
These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).
Assuming the word 'underflow' is not a typo, this is new to me. Here is one explanation of a data 'underflow' vulnerability versus an overflow:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Integer_Overflow/Underflow

I dug around for further explanation of CVE-2014-0497, but nothing more is available at this time, which is common with zero-day exploits.

Here are a couple articles covering this Flash Player update:

Adobe Pushes Fix for Flash Zero-Day Attack

Adobe releases unscheduled Flash update to patch critical zero-day threat
Attack code for integer underflow bug is already circulating in the wild.

Again: If you're using Adobe Flash Player, please update now.


--

Addendum:

Apple has responded to this latest Adobe Flash Player security FAIL by blocking all previous versions of Flash Player via its XProtect system, integrated into recent versions of OS X:
APPLE-SA-2014-02-04-1 OS X: Flash Player plug-in blocked

Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 12.0.0.44.

Information on blocked web plug-ins will be posted to:

This message is signed with Apple's Product Security PGP key, and details are available at:
Thank you Apple!


--

No comments:

Post a Comment