nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Second time's a charm: Adobe has another go at killing Flash hijack flaw

It's not December already – out-of-band patch today must be installed

By Shaun Nichols, 25 Nov 2014

Ready to enjoy the Thanksgiving holiday? Can't wait to open your advent calendar? Not so fast – there's one more patch to install before the month is over.

Adobe has posted an update for its Flash plugin, version 15.0.0.239, to address a critical remote-code-execution vulnerability. This will be the Photoshop giant's second attempt at fully squashing this particular security bug.

Users and administrators are advised to update their software on Windows, OS X and Linux systems. Opening a specially crafted Flash file can trigger the bug, and lead to the execution of an attacker's code to hijack the machine.

Adobe said patching the flaw (CVE 2014-8439) should be considered a top priority, hence the out-of-band update. Normally, security fixes come on the second Tuesday of each month.

According to infosec biz F-Secure, the vulnerability was first exploited by the Angler malware kit to infect computers and inject malicious code into running processes.

F-Secure says today's patch is a second attempt by Adobe to snap shut the vulnerability in Flash – although the first try killed off initial attacks, the underlying programming blunder was still present, and it took malware developers just two days to tweak their exploit code to carry on infecting.

Adobe has confirmed as much, calling today's update "additional hardening" against a flaw patched by an October update.

"We considered the possibility that maybe the latest patch [from October] prevented the exploit from working and the root cause of the vulnerability was still unfixed, so we contacted the Adobe Product Security Incident Response Team," F-Secure said.

"They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing