Adobe Flash Player updates confront zero-day exploit

Feb 21, 2014 by Nancy Owano weblog

(Phys.org) —An Adobe Flash exploit has targeted three sites. Adobe Systems on Thursday announced knowledge of the exploit and what steps to take. The company assigned the CVE identifier CVE-2014-0502 to the vulnerability. Its security bulletin addressed updates for Adobe Flash Player in response to the zero-day exploit, responding to the incidents. Titled "Security updates available for Adobe Flash Player," the company said that "Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions," which were listed. The attack, described as a zero-day Adobe Flash exploit, was discovered on February 13 by Milipitas, California- based security company FireEye.

Adobe's security updates included those for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. Adobe said that users of Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.70. Users of Adobe Flash Player 11.2.202.336 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.341. Adobe Flash Player 12.0.0.44 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.70 for Windows, Macintosh and Linux.

The announcement also provided guidelines for those using Adobe Flash Player 12.0.0.44 installed with Internet Explorer 10 and Internet Explorer 11. Users of Adobe AIR 4.0.0.1390 and earlier versions for Android were told to update to Adobe AIR 4.0.0.1628.

Adobe further explained how users can verify which version of Adobe Flash Player is installed on the user's system and instructions for updating software installations.

The FireEye team that spotted the , meanwhile, offered some observation in a Thursday blogpost about the attack and the attackers. The attack targets were even evident in the headline, "Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit." Commenting further, the team said, "As of this blog post, visitors to at least three nonprofit institutions—two of which focus on matters of national security and public policy—were redirected to an exploit server hosting the zero-day exploit. We're dubbing this attack 'Operation GreedyWonk.'" "They said they believe that GreedyWonk may be related to a May 2012 campaign, "based on consistencies in tradecraft (particularly with the websites chosen for this strategic Web compromise), attack infrastructure, and malware configuration properties."-They said the group behind this campaign appeared to have sufficient resources, such as access to zero-day exploits, and "a determination to infect visitors to foreign and public policy websites."

Meanwhile, Microsoft wasted no time to issue a security advisory on Wednesday, regarding a vulnerability in Internet Explorer that could allow remote code execution. "Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability."

Explore further: Android gains in US, basic phones almost extinct

More information: support.microsoft.com/kb/2934088
helpx.adobe.com/security/products/flash-player/apsb14-07.html

add to favorites email to friend print save as pdf

Related Stories

Adobe confirms zero-day danger in Reader and Acrobat

Dec 07, 2011

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and ...

Flash in Windows 8 RTM build is missing latest fix

Sep 08, 2012

(Phys.org)—Microsoft architects must wake up to the smell of burning blogs once again. While not everyone may have or want Windows 8, the situation is neither good for branding nor at all good for the people ...

Adobe pulls plug on Flash for mobile

Nov 09, 2011

US software maker Adobe pulled the plug Wednesday on its Flash player for mobile browsers, which Apple's late chief executive Steve Jobs refused to allow on the iPhone and iPad.

Adobe plugs Flash webcam spy hole

Oct 22, 2011

(PhysOrg.com) -- Adobe engineers on Thursday fixed a vulnerability in its Flash software that could enable attackers to use a person’s computer webcam or microphone feeds for spying on the person. Adobe made changes ...

Adobe fans mobile gadget game flames

Dec 04, 2012

Adobe released a free tool kit to make it easier for developers to create Flash-based games to ride the growing wave of playing on smartphones, tablets, and in Internet browsers.

Mozilla's Shumway pushes Flash to off-ramp

Jun 07, 2012

(Phys.org) -- Mozilla’s experimental project on GitHub, a hosting service for development projects, is taking on a happy buzz where developers look at a future that may not include Adobe Flash. The project, ...

Recommended for you

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

PoppaJ
5 / 5 (1) Feb 21, 2014
Adobe and its flash player are nothing but a tracker installing banner add adding spam engine. Its not an exploit issue. Its the company they keep that is the issue.
DonGateley
5 / 5 (1) Feb 21, 2014
This pig has simply got to vanish. A never ending cornucopia of exploits.
dirk_bruere
not rated yet Feb 22, 2014
Adobe Flash should die
alfie_null
not rated yet Feb 22, 2014
I don't use it. It's not enabled. It's not even installed. I haven't used it for years. I haven't missed it yet.

Speaking of Adobe, I can't say I'm a big fan of Adobe Reader either. Reader seems to have a track record of focusing of features at the expense of security. Or maybe so often exploited because it's such a big target. Fortunately, there's a plenitude of alternatives.
DonGateley
not rated yet Feb 22, 2014
@alfie_null: Do you just live without all the web content that now requires it?

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...