All the latest UK technology news, reviews and analysis


Adobe issues fix for Flash Player zero-day flaw

29 Apr 2014
Adobe Systems logo

Adobe has issued a patch for Flash Player following the discovery of a zero-day vulnerability, which it warned could allow hackers "to take control of affected computer systems".

The firm alerted its users of the flaw in a security advisory on Monday, saying it "is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."

Adobe released security updates to cover Flash Player versions 13.0.0.182 and earlier for Windows, 13.0.0.201 and earlier versions for Mac and 11.2.202.350 and earlier for Linux.

Security firm Kaspersky claimed to have discovered and made Adobe aware of the bug in mid-April when it detected two new exploits in the "SWF" multimedia, vector graphics and Action Script Adobe Flash file format, and said it was being used in watering-hole attacks.

Kaspersky Labs manager of the Vulnerability Research Group Vyacheslav Zakorzhevsky said in a blog post: "After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a [zero-day] vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing."

According to Kaspersky's data, the exploits were stored as movie.swf and include.swf at an infected website and each exploit comes as an unpacked flash video file.

"The Action Script code inside was neither obfuscated nor encrypted," Zakorzhevsky said. "The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used."

Kaspersky said it's likely that the attack was carefully planned and that reasonably high-calibre professionals were behind it. "The use of professionally written zero-day exploits that were used to infect a single resource testifies to this," Zakorzhevsky added.

The Adobe Flash Player patch arrives just days after Microsoft issued a security bulletin for a similar flaw in almost all recent editions of Internet Explorer. Like the zero-day flaw found in Adobe's Flash Player, Microsoft's emergency security bulletin warned that the vulnerability could give hackers complete control of a user's web browser.

Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday and is still under investigation by the Redmond firm.

Although similar in type to Microsoft's IE zero-day bug, Adobe's newly announced Flash Player exploit is unrelated, security firm Sophos said, as it is a bug in Flash Player that directly allows remote code execution.

"That means that you could be infected just by viewing a Flash file in your browser," the company warned on Tuesday in its Naked Security blog.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Lee Bell
About

Lee joined as a reporter on The INQUIRER in April 2012.

Prior to working at The INQUIRER, Lee was sponsored by the NCTJ to do a multimedia journalism course in London. After completing placements at local magazines and newspapers in both print and online he wrote for an online gaming news website, and it was here where his love for technology grew.

Lee's main coverage areas include processors, internet security, PCs, laptops and tablet news and reviews.

More on Security
What do you think?
blog comments powered by Disqus
Poll

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?
12%
23%
12%
6%
47%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Senior 2nd/3rd Line Support Analyst

Senior 2nd/3rd Line Support Analyst Salary: £21,000...

JavaScript Frontend Developer

As a front end developer you will specialise in creating...

Support Team Leader

Support Team Leader We are currently seeking a Support...

Data Analyst – MySQL and Excel, Visual Basic Environment

Are you a recent Maths, Physics or computer science graduate...
To send to more than one email address, simply separate each address with a comma.