Adobe thwarts exploit of three security vulnerabilities

Feb 21, 2014 07:46 GMT  ·  By

Adobe rolled out another emergency update for Flash Player, the second out-of-band release this month, due to the recent discovery of a zero-day vulnerability that appears to have exploits in the wild.

Adobe’s security bulletin shows that the current update addresses a total of three security glitches. One refers to a memory leak vulnerability that would permit an attacker to defeat memory address layout randomization (CVE-2014-0499).

The other two (CVE-2014-0498 and CVE-2014-0502) could result in executing arbitrary code on affected machines by taking advantage of a stack overflow and a double free vulnerability.

Adobe informed that it received reports of the zero-day threat identified as CVE-2014-0502 (attributed to Google Security Team and FireEye) having exploits being currently used in the wild and urges users to update to the latest revision as quickly as possible.

According FireEye, exploiting this security flaw would be part of a targeted attack campaign it dubbed “Operation GreedyWonk,” which seems focused on infecting visitors to foreign and public policy websites.

The update to version 12.0.0.70 (for Windows and Mac) and 11.2.202.341 (for Linux) of Adobe Flash Player is considered critical, which means that code could be executed on the affected systems without the user being aware.