Thursday, February 20, 2014

A Second February Adobe Flash Critical Update:
Another Exploit Is In The Wild.
Update to v12.0.0.70 ASAP

--

For the second time this month, Adobe has provided an out-of-band (unscheduled) critical update of Adobe Flash Player software. The new version is 12.0.0.70. Please update NOW:

http://get.adobe.com/flashplayer/

Adobe AIR is not affected, except for the AIR SDK and Compiler, for which there is also a critical update:

http://www.adobe.com/devnet/air/air-sdk-download.html

Adobe's Flash & AIR security bulletin can be found here:

http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.
. . .
These updates resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498).

These updates resolve a memory leak vulnerability that could be used to defeat memory address layout randomization (CVE-2014-0499).

These updates resolve a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).
As usual: 
Be certain to use a Flash blocking extension in ALL your web browsers. Thankfully, Apple's latest versions of Safari automatically block Flash until user approval. Safari 7, exclusive to OS X 10.9 Mavericks, provides Flash sandboxing. iCab also automatically blocks Flash until approval. Adobe Flash is second only to Oracle Java as the most dangerous software to run on the Internet in OS X. Please take these dangers seriously.

Be safe, share and enjoy!

:-Derek
--

No comments:

Post a Comment