Adobe has released a set of out-of-band emergency security updates for Adobe Flash Player for Windows, Macintosh and Linux—after an exploit kit was found to be freshly using a previously patched remote-code execution vulnerability.
The exploit kit authors were simply able to reverse-engineer the October Flash update.
The fresh updates provide additional hardening against CVE-2014-8439, which was mitigated in the October 14 security release. It affects Adobe Flash Player 15.0.0.223 and earlier versions; Adobe Flash Player 13.0.0.252 and earlier 13.x versions; and Adobe Flash Player 11.2.202.418 and earlier versions for Linux.
F-Secure first discovered the continued vulnerability while analyzing a Flash exploit from an exploit kit called Angler. The sample was sent by well-known exploit kit researcher Kafeine, who noted that the exploit worked with Flash Player 15.0.0.152 but not with 15.0.0.189.
“That would imply the vulnerability was something patched in [the previous update],” said Timo Hirvonen of F-Secure, in a blog. However, based on the information that F-Secure had received via Microsoft Active Protections Program, the exploit didn’t match any of the vulnerabilities patched before.
“We considered the possibility that maybe the latest patch prevented the exploit from working, and the root cause of the vulnerability was still unfixed—so we contacted the Adobe Product Security Incident Response Team,” Hirvonen said. “They confirmed our theory.”
This, he said, led to this week’s out-of-band update for the flaw, which is in the handling of a dereferenced memory pointer that could lead to code execution.
Kafeine reported Angler exploiting this vulnerability on Oct. 21—and Angler was soon followed by Astrum and Nuclear exploit kits.
“Considering the exploit kit authors reverse engineered October’s Flash update in two days, installing the update immediately is paramount, whether you do it manually or automatically,” said Hirvonen.