Hot on the heels of Microsoft’s Internet Explorer (IE) zero-day announcement comes an Adobe bulletin about a zero-day in Flash.
Readers who saw our recent story about Microsoft’s zero-day will know that although that bug is entirely in Microsoft’s code, the exploits currently seen “in the wild” rely on a Flash file to get things going.
In the IE attacks, Flash is used by the attackers to get their ducks in a row in memory, so to speak, thus creating the circumstances needed make their exploit on IE succeed.
Adobe’s newly-announced Flash exploit is unrelated: APSB14-13 is a bug in Flash itself that apparently allows remote code execution.
That means that you could be infected just by viewing a Flash file in your browser.
As in the Microsoft announcement, Adobe is being tight-lipped about what is wrong, saying simply:
Adobe has released security updates for Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Adobe Flash Player 188.8.131.52 and earlier versions for Macintosh and Adobe Flash Player 184.108.40.2060 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform.
As you can see, Adobe does have a patch out, so you don’t need to worry about workarounds like the ones we suggested to circumvent the IE zero-day.
We therefore recommend getting the patch immediately.
Presumably (though not certainly), this means the vulnerability was responsibly disclosed to Adobe before the first attacks were seen.
Responsible disclosure is where a vendor finds a hole itself, or has the hole reported by someone who doesn’t go public right away, and then fixes it within a reasonable period, deferring public discussion of the details of the bug until a patch is out.
It’s a fair guess, therefore, that before a patch could be finished, tested and scheduled for a suitable Adobe Patch Tueday, one or more crooks also discovered the vulnerability, and how to exploit it, and began to use it in the wild.
Thus the need for a so-called out of band patch not on Adobe’s usual schedule.
With that in mind, Adobe rates this patch Priority 1, Critical.
So you may as well patch just as soon as you can.
→ Microsoft ships Flash built into IE 10 and IE 11, and has announced updates for the Flash player in those browsers. Chrome users should also receive automatic updates to the Flash player built into that browser.
The only important thing to remember is that applying this Adobe patch doesn’t do anything to protect you against CVE-2014-1776, the recent Microsoft IE zero-day.
That IE zero-day doesn’t require Flash; it’s just that the currently-known exploits happen to use Flash as a handy “helper toolkit.”
PS. If you use the Adobe Flash Player Distribution page, you will find out how to apply for a free licence to access Adobe’s standalone installers. These installers avoid the foistware in Adobe’s regular installer that some of you have complained about before on Naked Security comments.