Adobe has release an emergency fix to patch three vulnerabilities in Flash Player one of which is already being exploited in targeted attacks directed towards non-profit agencies in a bid to spy on national security and public policy agencies.
“Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux”, notes Adobe in its security bulletin. “These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.”
The fix patches a stack overflow vulnerability that could allow attackers to run arbitrary code, a memory leak bug that could allow attackers to bypass key memory protections, and a memory vulnerability that could also allow for arbitrary code execution.
According to researchers over at FireEye hackers are already exploiting the memory vulnerability flaw to install malware on users’ systems. Adobe has also acknowledged the presence of an exploit in the wild stating that “Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions”.
According to the security company, the vulnerability allowed attackers to bypass the memory protection mechanism commonly referred to in Windows as address space layout randomisation (ASLR) and execute arbitrary code including installation of malware on systems running Windows XP as well as Windows 7.
“Users can mitigate the threat by upgrading from Windows XP and updating Java and Office. If you have Java 1.6, update Java to the latest 1.7 version. If you are using an out-of-date Microsoft Office 2007 or 2010, update Microsoft Office to the latest version”, notes FireEye in its blog post.
Adobe will be releasing the patches through automatic updates for Chrome and Internet Explorer 10 and 11. Other users can head to Adobe website and download the patches.