Adobe has released an emergency patch to patch a critical remote code-execution vulnerability (CVE-2104-8439) affecting Flash Player that was already fixed last month (Adobe’s Oct. 14th), but that was exploited again. According to an Adobe Security Bulletin, the update implements a mitigating solution for the CVE-2104-8439 that affects the Adobe Flash and could be exploited by attackers to install malware.
The critical vulnerability in Flash Player for Windows, Mac and Linux was mitigated in October 14 for the first time, but the French researcher Kafeine discovered evidence of the exploits in the Angler, Astrum and Nuclear malware kits after Adobe released the patch. It is likely that the attackers were able to reverse-engineering the patch issued by Adobe and include it in commercial available exploits.
“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” Kafeine said in a blog post.
The Flash Player to the latest version of Windows and Apple’s Mac OS is 15.0.0.239, and the latest for Linux is 11.2.202.424, anyway it is possible to install the patch manually from Adobe. Timo Hirvonen, a senior researcher at F-Secure, confirmed that its company has received an exploit sample from Kaffeine and that they verified that the exploit was working despite the deployment of the Adobe fixed in October.
“We discovered the vulnerability while analyzing a Flash exploit from an exploit kit called Angler. We received the sample from Kafeine, a renowned exploit kit researcher. He asked us to identify the vulnerability which was successfully exploited with Flash Player 15.0.0.152 but not with 15.0.0.189. That would imply the vulnerability was something patched in APSB14-22. However, based on the information that we had received via Microsoft Active Protections Program the exploit didn’t match any of the vulnerabilities patched in APSB14-22 (CVE-2014-0558, CVE-2014-0564, or CVE-2014-0569).
We considered the possibility that maybe the latest patch prevented the exploit from working and the root cause of the vulnerability was still unfixed so we contacted the Adobe Product Security Incident Response Team.” reported F-Secure in a blog post.
Users can install the new update from Adobe Flash Player Download Center, or using the automated update requested by the Adobe solution.
(Security Affairs – Adobe patch, CVE-2104-8439)