Adobe rolls out a small, easy to apply set of fixes

Oct 15, 2014 09:52 GMT  ·  By

Adobe released a new update for Flash Player, eliminating a set of three vulnerabilities, all presenting the potential of running arbitrary code on the affected computer.

The developer marked all the flaws as “critical,” the highest severity rating, which means that applying the fix should be a priority for all clients.

Patching up is automatic in most cases

Two of the vulnerabilities addressed consist of memory corruption bugs and could allow a potential attacker to execute native code remotely. The discovery of these issues is attributed to Ian Beer from Google’s Project Zero (CVE-2014-0558) and to Wen Guangxing from Venustech ADLAB (CVE-2014-0564).

A third glitch removed by the latest Flash Player update refers to an integer overflow vulnerability (CVE-2014-0569), and is attributed to Bilou from HP's Zero Day Initiative.

Users are strongly recommended to install the new version to avoid a potential risk of threat actors leveraging them.

In Google Chrome, the latest version of the player is automatically installed through the browser update mechanism. With Internet Explorer, the process is automatic too, but the new version is delivered through Windows Updates.

Adobe Flash Player includes an option for applying the updates automatically, as soon as they become available. Another way to learn about a fresh release is to turn on the notification feature that alerts of new content from the developer being available.

Updates for one product do not come alone

The update process for the products of multiple companies has been synchronized with Microsoft’s release of security updates for Windows clients.

As a result, multiple developers deliver improved versions of their software solutions the same day as the Redmond-based company.

Oracle has announced that this month’s patches impact no less than 44 of its products. In total, 155 glitches have been addressed and the patches are being pushed to the clients; Java was affected by 22 remotely exploitable vulnerabilities.

Microsoft’s security improvements for October are also notable, as the company plugged several zero-day flaws that have been used in cyber espionage campaigns.

Security researchers have evidence that two groups, one believed to be from China (Hurricane Panda), the other from Russia (Sandworm), leveraged previously unknown vulnerabilities to achieve persistency on the affected computers.

A third group has also been acknowledged, but there is no information about its origin; they targeted international organizations by exploiting a kernel-mode driver vulnerability, which touched on parsing TrueType font files.

In the case of Sandworm, there is proof that the group has been involved in cyber espionage activities since at least 2009, and the recently uncovered zero-day has been used for at least five months. They used a flaw that allowed the OLE packager to download and execute INF files.

Hurricane Panda achieved privilege escalation through another kernel-mode driver vulnerability that caused incorrect handling of objects in memory.