The Inquirer-Home

Adobe patches Flash Player zero-day flaw used in watering-hole attacks

Bug could have allowed attackers to take control of affected systems
Tue Apr 29 2014, 11:21

ADOBE HAS ISSUED an emergency patch for Flash Player following the discovery of a zero-day vulnerability, which it warned could allow attackers "to take control of affected computer systems".

The firm alerted its users of the flaw in a security advisory on Monday, saying that it "is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform".

Adobe released security updates to cover Flash Player versions and earlier for Windows, and earlier versions for Mac and and earlier for Linux.

Security firm Kaspersky claimed to have discovered and made Adobe aware of the bug in mid-April when it detected two new exploits in the "SWF" multimedia, vector graphics and Actionscript Adobe Flash file format, and said it was being used in watering hole attacks.

"After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a [zero-day] vulnerability that was later labeled as CVE-2014-0515," Kaspersky Labs expert Vyacheslav Zakorzhevsky said in a blog post. "The vulnerability is located in the Pixel Bender component, designed for video and image processing."

According to Kaspersky's data, the exploits were stored as movie.swf and include.swf at an infected website and each exploit comes as an unpacked flash video file.

"The Action Script code inside was neither obfuscated nor encrypted," Zakorzhevsky said. "The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used."

Kaspersky said that it's likely that the attack was carefully planned and that professionals of pretty high calibre were behind it. "The use of professionally written zero-day exploits that were used to infect a single resource testifies to this," Zakorzhevsky added.

The Adobe Flash Player patch arrives just days after Microsoft issued a security bulletin for a similar flaw in almost all recent editions of Internet Explorer, versions 6-11. Like the zero-day flaw found in Adobe's Flash Player, Microsoft's emergency security bulletin warned that the vulnerability could give hackers complete control of a user's web browser.

Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday and is still under investigation by the Redmond firm.

Although similar in type to Microsoft's IE zero-day bug, Adobe's newly announced Flash Player exploit is unrelated, security firm Sophos said, as it is a bug in Flash Player that directly allows remote code execution.

"That means that you could be infected just by viewing a Flash file in your browser," the company warned today in its Naked Security blog. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?