Adobe on Tuesday released an out-of-band security update to address a critical security vulnerability in Adobe Flash Player that could allow an attacker to remotely take control of an affected system.
Adobe has released security updates for Flash Player 22.214.171.124 and earlier versions for Windows and Macintosh and Adobe Flash Player 126.96.36.1995 and earlier versions for Linux.
Adobe said that the vulnerability (CVE-2014-0497), reported to Adobe by Alexander Polyakov and Anton Ivanov of Kaspersky Lab, has an exploit that exists in the wild.
Interestingly, Kaspersky Lab said earlier this week that it has been investigating a sophisticated malware that leverages high-end exploits, and includes a bootkit and rootkit, and also has versions for Mac OS and Linux.
Neither Adobe nor Kaspersky Lab disclosed if the vulnerability patched today by Adobe has any connection to the cyber-espionage operation that Kaspersky Lab is calling “one of the most advanced threats at the moment”.
“Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions,” the company said.
An entry into the National Vulnerability Database forCVE-2014-0497has not yet been created.
Adobe urged users should to update their software to the latest versions of Adobe Flash Player:
• Users of Adobe Flash Player 188.8.131.52 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 184.108.40.206.
• Users of Adobe Flash Player 220.127.116.115 and earlier versions for Linux should update to Adobe Flash Player 18.104.22.1686.
• Adobe Flash Player 22.214.171.124 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 126.96.36.199 for Windows, Macintosh and Linux.
• Adobe Flash Player 188.8.131.52 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 184.108.40.206 for Windows 8.0.
• Adobe Flash Player 220.127.116.11 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 18.104.22.168 for Windows 8.1.
If there is any connection betweenCVE-2014-0497and the operation dubbed “The Mask” byKaspersky Lab, it will not likely be disclosed until the company shares the details of its findings at the KasperskySecurity Analyst Summit 2014(SAS), taking place next week in Punta Cana, Dominican Republic.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Adobe Issues Emergency Patch To Address Flash Player Zero-Day Snowden Leaks Spark Defense Firms to Change Security Practices: SurveyWhiteHat Security Founder Jeremiah Grossman Takes Role as Interim CEO Microsoft Names Head of Cloud and Enterprise Group Satya Nadella as CEOWhite Lodging Says 14 Properties Compromised in Point-of-Sale Attack
Tags: NEWS INDUSTRY