Adobe outs emergency Flash Player patch to plug a remote-code execution bug
Adobe has released an emergency patch for a remote-code execution hole, which is assigned the ID CVE-2014-8439. This particular update comes as an update to an already existing advisory dated October 14.
Back in October Adobe released a patch to address three different vulnerabilities that could enable hackers to execute code remotely on a compromised system. Just a week after Adobe released the patch, security researcher Kafeine found exploits in Angler and Nuclear kits that exploited targeting those vulnerabilities.
Appearance of exploits targeting the specific CVEs within a week of Adobe releasing the patch is worrisome considering that it provides proof that hackers managed to reverse engineer the patches and found the weakness which can be exploited.
With the latest Adobe update, Flash Players on all platforms will be updated. Microsoft and Google will be releasing patch for Flash Player embedded in Internet Explorer and Chrome respectively and the browsers should get it automatically.
“These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution (CVE-2014-8439)”, Adobe notes in its advisory. “A mitigation was previously introduced for this issue in the October 14, 2014 release.”
As far as the version numbers of the Flash Player goes, the player on Windows and Mac will be 126.96.36.199, while the new version on Linux is 188.8.131.524. Adobe Flash Player Extended Support Release version is now 184.108.40.2068.