- SMB Spotlight
Adobe has issued a patch for Flash Player following the discovery of a zero-day vulnerability, which it warned could allow hackers "to take control of affected computer systems".
The firm alerted its users of the flaw in a security advisory on Monday, saying it "is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."
Adobe released security updates to cover Flash Player versions 18.104.22.168 and earlier for Windows, 22.214.171.124 and earlier versions for Mac and 126.96.36.1990 and earlier for Linux.
Security firm Kaspersky claimed to have discovered and made Adobe aware of the bug in mid-April when it detected two new exploits in the "SWF" multimedia, vector graphics and Action Script Adobe Flash file format, and said it was being used in watering-hole attacks.
Kaspersky Labs manager of the Vulnerability Research Group Vyacheslav Zakorzhevsky said in a blog post: "After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a [zero-day] vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing."
According to Kaspersky's data, the exploits were stored as movie.swf and include.swf at an infected website and each exploit comes as an unpacked flash video file.
"The Action Script code inside was neither obfuscated nor encrypted," Zakorzhevsky said. "The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used."
Kaspersky said it's likely that the attack was carefully planned and that reasonably high-calibre professionals were behind it. "The use of professionally written zero-day exploits that were used to infect a single resource testifies to this," Zakorzhevsky added.
The Adobe Flash Player patch arrives just days after Microsoft issued a security bulletin for a similar flaw in almost all recent editions of Internet Explorer. Like the zero-day flaw found in Adobe's Flash Player, Microsoft's emergency security bulletin warned that the vulnerability could give hackers complete control of a user's web browser.
Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday and is still under investigation by the Redmond firm.
Although similar in type to Microsoft's IE zero-day bug, Adobe's newly announced Flash Player exploit is unrelated, security firm Sophos said, as it is a bug in Flash Player that directly allows remote code execution.
"That means that you could be infected just by viewing a Flash file in your browser," the company warned on Tuesday in its Naked Security blog.