Adobe has issued an out-of-band update to address a critical vulnerability in its Flash Player.
The bug CVE-2014-8439 allows attackers to take control of a system by exploiting a weakness in the way a dereferenced pointer to memory is handled, which allows for the execution of arbitrary code.
The vulnerability was given a rating of “2,” which means there are currently no known exploits in the wild. Even so, it is recommended that all Flash Player users update their systems within the next 30 days if not before then.
Adobe patched Flash Player for this same vulnerability in October 2014. However, attackers found a way to bypass that original security update.
An esteemed exploit kit researcher Kafeine discovered as much while investigating the Angler, Nuclear, and Astrum exploit kits.
“The vulnerability is being exploited in blind mass attack,” said Kafeine about CVE-2014-8439. “No doubt about it: the team behind Angler is really good at what it does.”
After making the discovery, the security researcher passed along a sample of the vulnerability to F-Secure, a Finnish security firm. F-Secure contacted the Adobe Product Security Incident Response Team, who issued a patch for the bug shortly thereafter.
“The exploit kit authors reverse engineered October’s Flash update in two days,” reports the research team at F-Secure, a fact which makes “installing the update immediately… paramount, whether you do it manually or automatically.”
Adobe has released Flash Player version 22.214.171.124 for both Windows and Macintosh, version 126.96.36.1998 for those that use the Adobe Flash Player Extended Support Release, and version 188.8.131.524 for Linux.
Flash Player for Google Chrome and Microsoft Internet Explorer should automatically update over the next couple of days.
You can check what version of Adobe Flash Player you are running here. To evaluate what system requirements you need for the update and to manually install the patch, click here.