Adobe released their second out-of-band update for Adobe Flash this month. APSB14-07 fixes three vulnerabilities in Adobe Flash, including CVE-2014-0502 which is being used in the wild to attack users through malicious webpages.
The 0-day flaw in Flash CVE-2014-0502 was discovered about a week ago by FireEye which states that it was found on three websites that are run by non-profit institutions. Fortunately organizations that are running latest operating systems and application code are not affected by the attack. They lack the vulnerable components that enable the attack to come to a successful conclusion.
In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:
- Windows XP (which does not have ASLR)
- Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits
- Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits.
Our recommendation is to update as quickly as possible. Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.
Microsoft has updated advisory KB2755801 which centralizes the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.
Author: Wolfgang Kandek, CTO, Qualys.