Adobe patches zero-day Flash flaw

Adobe patches zero-day Flash flaw

Summary: Three vulnerabilities, including one being exploited in the wild, are fixed in another emergency update of the Flash Player from Adobe.

SHARE:
TOPICS: Security
9
get.adobe.com.flash
Click on image to install current version of Adobe Flash Player

Adobe has released critical updates for Flash Player on Windows, Mac and Linux. Versions 12.0.0.44 and earlier for Windows and Macintosh and versions 11.2.202.336 and earlier versions for Linux are vulnerable to up to three vulnerabilities.

One of these, CVE-2014-0502, is being exploited in the wild. Click here for more detail on how the attack was found by security firm Fireeye and how it behaves.

The new version of Adobe Flash Player on Windows and Mac is 12.0.0.70. The new version for Linux is 11.2.202.341. A Google Chrome update to version 33.0.1750.117 today includes the fixed Flash plugin bundled with that product. Microsoft has released an update for Windows 8.0 and 8.1 for the bundled Flash Player plugin in Internet Explorer 10 and 11.

Users may obtain the newest version of Adobe Flash Player from Adobe at get.adobe.com/flashplayer. Do not trust Flash Player installations or patches from any other source.

In addition to the zero-day flaw reported by Fireeye and the Google Security Team, two other vulnerabilities (CVE-2014-0498 and CVE-2014-0499) were reported to Adobe by Wen Guanxing of Venustech.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Thanks for the heads-up.

    I just checked the repository and downloaded the update.
    Zogg
  • More and more patches

    It's both refreshing to know they're keeping up on things and bad to know that they have to keep doing it so often.
    Michael Alan Goff
    • Patches

      Interestingly, the link to FireEye in the article states that this Flash Player exploit has targeted both Windows XP and 7. With Windows 7, the exploit requires that one is running an unpatched version of either Java SE 6 or Microsoft Office 2007/2010. Thus, keeping one's Java and Microsoft Office patched is also necessary to defeat this exploit on Windows 7. How many Microsoft Office users on Windows have switched from Windows Update to Microsoft Update?

      P.S. Windows XP appears to be a sitting duck for this exploit if one is not running an alternative browser like Chrome (which bundles Flash Player and is sandboxed on Windows XP as well as supporting URL whitelisting) or Firefox/Seamonkey with one's legitimate and frequently-visited web sites managed via the NoScript extension's Whitelist. Unsuspecting users to the affected web sites get redirected to an exploit server under the control of the miscreants.
      Rabid Howler Monkey
      • you have to keep ALL software patched

        Otherwise its an open invitation to come in and eat your lunch.
        greywolf7
  • OK, but...

    "Do not trust Flash Player installations or patches from any other source."

    My Mother-in-Law might be insulted. ;)

    Thanks!
    Compumind
  • Flash player BAD

    For months I put up with losing control of webpage navigation. Poor scrolling, mouse gestures, etc. When Java was declared insecure, ditched it. Continued running malware removal to regain navigation. Last week removed Flash Player and now what a relief! Netflix still runs terribly but runs. Switched Youtube to viewing Html5 and lost access to 30% of its videos but that's okay!
    nuzerxe
    • Wow

      So it is okay to get a subpar video watching experience because you removed flash? It would have been easier to out something that makes it 'click to flash', then you could have a less crappy experience and flash,
      Michael Alan Goff
  • Flash Player. An unavoidable risk cross platform....

    Whether you work with Windows, OS X or Linux we all take the same risk entrusting Flash Player to be secure. So much so we take it for granted. However it is now becoming abundantly clear this is foolish.
    Flash Player is an application we all use 24/7 without giving it a second thought. I am fairly confident that working with OS X Safari will receive the security updates almost immediately but what of those browsers with Flash embedded such as Internet Explorer 11. Do they have to wait for a Microsoft patch Tuesday ?
    5735guy
  • For Flash without foistware

    The Adobe site http://www.adobe.com/products/flashplayer/distribution3.html offers the latest Flash in full installers (not installation stubs), without the usual foistware Adobe likes to fob off on the unwitting or unwary. Just scroll down and pick your poison :-) .
    fejlinton@...