Adobe fixes Flash 0-day
Posted on 21 February 2014.
Adobe released their second out-of-band update for Adobe Flash this month. APSB14-07 fixes three vulnerabilities in Adobe Flash, including CVE-2014-0502 which is being used in the wild to attack users through malicious webpages.

The 0-day flaw in Flash CVE-2014-0502 was discovered about a week ago by FireEye which states that it was found on three websites that are run by non-profit institutions. Fortunately organizations that are running latest operating systems and application code are not affected by the attack. They lack the vulnerable components that enable the attack to come to a successful conclusion.

In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:
  • Windows XP (which does not have ASLR)
  • Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits
  • Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits.
Our recommendation is to update as quickly as possible. Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.

Microsoft has updated advisory KB2755801 which centralizes the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.


Author: Wolfgang Kandek, CTO, Qualys.





Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //