adobe issues emergency patch for new flash flaw

Adobe issues emergency patch for new Flash flaw Adobe issues emergency patch for new Flash flaw | Security | News | PC Pro Adobe issues emergency patch for new Flash flaw Gallery By Shona Ghosh Posted on 21 Feb 2014 at 10:29 Adobe has released a patch to fix three bugs in its Flash Player, one of which is already being exploited by hackers. The flaws affect Adobe Flash Player 12.0.0.44 and earlier on Windows and Mac, and version 11.2.202.336 and earlier on Linux, Adobe said. The updates should fix a stack overflow vulnerability that could allow arbitrary code execution, a memory leak bug that allows hackers to bypass key memory protections, and a memory vulnerability that could also allow arbitrary code execution. According to security firm FireEye, hackers are actively exploiting the latter flaw to surreptitiously install malware on users' PCs. FireEye said the vulnerability was being exploited on the sites of at least three US non-profit organisations, two of which focus on national security and foreign policy.

Upload: glossytorpor4118

Post on 16-Jul-2015

24 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Adobe issues emergency patch for new Flash flaw

Adobe issues emergency patch for new Flash flaw | Security | News | PC Pro

Adobe issues emergency patch for new Flash flaw GalleryBy Shona Ghosh

Posted on 21 Feb 2014 at 10:29

Adobe has released a patch to fix three bugs in its Flash Player, one of which is already beingexploited by hackers.

The flaws affect Adobe Flash Player 12.0.0.44 and earlier on Windows and Mac, and version11.2.202.336 and earlier on Linux,

Adobe said.

The updates should fix a stack overflow vulnerability that could allow arbitrary code execution, amemory leak bug that allows hackers to bypass key memory protections, and a memory vulnerabilitythat could also allow arbitrary code execution.

According to security firm FireEye, hackers are actively exploiting the latter flaw to surreptitiouslyinstall malware on users' PCs.

FireEye said the vulnerability was being exploited on the sites of at least three US non-profitorganisations, two of which focus on national security and foreign policy.

Page 2: Adobe issues emergency patch for new Flash flaw

Windows XP targeted

The previously undiscovered flaw allows hackers to overwrite the virtual function table pointer of aFlash object to execute malware, the security firm said.

It also allows them to bypass a memory protection mechanism, address space layout randomisation(ASLR), and install malware on machines running older software, namely Windows XP and Windows7, according to FireEye.

FireEye said it was likely hackers were infecting PCs to steal information, possibly relating todefence and public policy issues.

"Users can mitigate the threat by upgrading from Windows XP and updating Java and Office," thecompany's researchers. "If you have Java 1.6, update Java to the latest 1.7 version. If you are usingan out-of-date Microsoft Office 2007 or 2010, update Microsoft Office to the latest version."

"These mitigations do not patch the underlying vulnerability," the researchers added. "But bybreaking the exploit"s ASLR-bypass measures, they do prevent the current in-the-wild exploit fromfunctioning."