Adobe releases another zero-day fix for Flash

Share this article:

For the second time this month, Adobe has addressed a zero-day vulnerability in its popular Flash Player.

On Thursday, the company released the security updates which rectify three bugs: a stack overflow vulnerability (CVE-2014-0498) that could allow arbitrary code execution; a memory leak flaw (CVE-2014-0499) that could be used to defeat memory address layout randomization; and a Flash zero-day vulnerability (CVE-2014-0502) that was actively exploited in the wild.

All of the vulnerabilities could potentially allow a saboteur to hijack impacted systems, the company warned.

A Thursday security bulletin from Adobe acknowledged that Google's security team and security firm FireEye disclosed the Flash zero-day to the company. That same day, researchers at FireEye took to a company blog to detail an attack campaign, dubbed “Operation GreedyWonk,” which leveraged the zero-day exploit to glean information from foreign policy and defense organizations.

According to FireEye, attackers compromised three websites for nonprofit institutions, so that visitors were redirected to an exploit server hosting the zero-day. From there, a remote access tool (RAT) was installed on victims' computers.

The impacted sites, so far, are those for the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt, and the Smith Richardson Foundation, the blog post revealed.

FireEye said that the GreedyWonk campaign appeared to be related to May 2012 espionage attacks where hackers also bobby trapped websites and leveraged Adobe Flash and Java vulnerabilities to target victims.

"We believe GreedyWonk may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft (particularly with the websites chosen for this strategic Web compromise), attack infrastructure, and malware configuration properties,” FireEye's blog post said.

“The group behind this campaign appears to have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” the firm revealed.

Adobe's security updates are for Windows and Mac users running Flash Player 12.0.0.44 and earlier, and for Linux users running Flash Player 11.2.202.336 and earlier.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.