Adobe Systems issued an emergency, out-of-band update on Wednesday, providing additional hardening to its Flash Player software from the possibility of attacks targeting flaws it repaired in an October update.
The update impacts users of Flash Player on Windows Macintosh and Linux. Adobe Flash Player installed on Google Chrome also will be updated to address the issue, the company said. The out-of-band update addresses attacks that can attempt to bypass the October fixes.
If an exploit is developed, it would be used in automated attack toolkits and likely target victims in drive-by attacks, according to security experts. The attacks also have been seen using an Internet Explorer Microsoft Office rendering engine to target the Flash Player weaknesses and compromise a victim’s machine.
[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]
"These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution,’ Adobe said in its advisory.
It’s unclear why additional hardening is necessary, but updates are typically issued to address the potential of an attack or block ongoing attacks in the wild, said Tod Beardsley, a Metasploit engineering manager, at Boston-based Rapid7. ’It's nearly always in response to external activity around the bug being fixed,’ Beardsley said.
Adobe Flash remains a favorite target of attackers due to its widespread install base. Users often use outdated Flash Player browser components, leaving the software open to attack, said solution providers. Users of Google Chrome, Internet Explorer 10 and 11 will get an automatic update of Flash, according to Wolfgang Kandek, CTO of Qualys. Older browsers often require users to apply manual updates.
Common vulnerabilities, including those in widely used applications, are the entry point for data breaches, said Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group. While consumers may have reached breach fatigue due to the spate of high-profile data breaches in 2014, organizations are looking at employee training, addressing system weaknesses and shoring up mistakes that cause security lapses, Bruemmer told CRN.
’Despite all the technologies that are put in place, a lot of companies are falling to the human fallibility factor,’ Bruemmer said. ’The best thing organizations can do is focus on best practices and be prepared to respond appropriately when an incident happens.’
Microsoft issued a bevy of updates as part of its October Patch Tuesday, repairing 17 vulnerabilities in Internet Explorer, including issues directly related to Adobe Flash Player. Experts said the two software giants are responding to targeted attack campaigns that are exploiting the vulnerabilities via file attachments and in drive-by website attacks.
Earlier this month, Microsoft addressed several zero-day vulnerabilities believed to have been targeted by attackers known as the Sandworm cyberespionage group. The APT group targeted people at organizations in the United States, Poland, Ukraine and Western Europe.
PUBLISHED NOV. 25, 2014
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

EPOS
EPOS

Fujifilm
Fujifilm

Dell Technologies
Dell Technologies Storage Learning Center

Mimecast
Mimecast

Carbonite
Cloud Storage 360

Application Integration 360

Hitachi Vantara
Hitachi Vantara

Dell Technologies
Dell Technologies Cloud Learning Center

Tenable
Cyber Risk 360

Webroot
Webroot Learning Center

NPD
Industry Trends 360

BlackBerry
BlackBerry Learning Center

Symantec
Symantec Business Security Learning Center

Sherweb
Sherweb

Acer
Remote Workforce 360

APC by Schneider Electric
Digital Services for Edge Learning Center

Channel Chief Showcase

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Comm100
Collaboration & Communications 360

Veeam
Veeam

Smart 3rd Party
3rd Party Maintenance 360

Sophos
Sophos Cybersecurity Learning Center

Trend Micro
Trend Micro Learning Center

VMware

Dell Technologies
Dell Technologies Server Learning Center

HubStor
Cloud Backup 360

eSentire
Managed Detection and Response 360
