All the latest UK technology news, reviews and analysis

Adobe issues fix for Flash Player zero-day flaw

29 Apr 2014
Adobe Systems logo

Adobe has issued a patch for Flash Player following the discovery of a zero-day vulnerability, which it warned could allow hackers "to take control of affected computer systems".

The firm alerted its users of the flaw in a security advisory on Monday, saying it "is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."

Adobe released security updates to cover Flash Player versions and earlier for Windows, and earlier versions for Mac and and earlier for Linux.

Security firm Kaspersky claimed to have discovered and made Adobe aware of the bug in mid-April when it detected two new exploits in the "SWF" multimedia, vector graphics and Action Script Adobe Flash file format, and said it was being used in watering-hole attacks.

Kaspersky Labs manager of the Vulnerability Research Group Vyacheslav Zakorzhevsky said in a blog post: "After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a [zero-day] vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing."

According to Kaspersky's data, the exploits were stored as movie.swf and include.swf at an infected website and each exploit comes as an unpacked flash video file.

"The Action Script code inside was neither obfuscated nor encrypted," Zakorzhevsky said. "The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used."

Kaspersky said it's likely that the attack was carefully planned and that reasonably high-calibre professionals were behind it. "The use of professionally written zero-day exploits that were used to infect a single resource testifies to this," Zakorzhevsky added.

The Adobe Flash Player patch arrives just days after Microsoft issued a security bulletin for a similar flaw in almost all recent editions of Internet Explorer. Like the zero-day flaw found in Adobe's Flash Player, Microsoft's emergency security bulletin warned that the vulnerability could give hackers complete control of a user's web browser.

Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday and is still under investigation by the Redmond firm.

Although similar in type to Microsoft's IE zero-day bug, Adobe's newly announced Flash Player exploit is unrelated, security firm Sophos said, as it is a bug in Flash Player that directly allows remote code execution.

"That means that you could be infected just by viewing a Flash file in your browser," the company warned on Tuesday in its Naked Security blog.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Lee Bell

Lee joined as a reporter on The INQUIRER in April 2012.

Prior to working at The INQUIRER, Lee was sponsored by the NCTJ to do a multimedia journalism course in London. After completing placements at local magazines and newspapers in both print and online he wrote for an online gaming news website, and it was here where his love for technology grew.

Lee's main coverage areas include processors, internet security, PCs, laptops and tablet news and reviews.

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Test Analyst, (Charles River, v9, FIX, Multi-asset)

Test Analyst, (Charles River v9, FIX, Fixed Income...

Data Warehouse Developer - SQL, SSIS, SSAS, MDX

Data Warehouse Developer - SQL, SSIS, SSAS, MDX A fast...

Business Intelligence Analyst

Citywire is a global publishing company with offices...

CRM System Officers

At the University of Derby, people are at the heart of...
To send to more than one email address, simply separate each address with a comma.