Adobe tries again to fix Flash vulnerability

Malware authors found a way to continue to exploit a vulnerability patched last month

Adobe released an emergency patch on Tuesday to fix a Flash Player vulnerability that was fixed last month but was quickly exploited again.

The company had issued a patch for the flaw, called CVE-2104-8439, but attackers soon found a way around that fix.

The latest update to Flash adds a "mitigation" for CVE-2104-8439, a vulnerability that could lead to the installation of malware.

The latest version for Windows and Apple's Mac OS is 15.0.0.239, and the latest for Linux is 11.2.202.424. Flash Player for Google's Chrome and Microsoft's Internet Explorer browsers should automatically update, but the update also can be installed manually from Adobe.

CVE-2014-8439 was patched on Oct. 14 along with three other vulnerabilities, but apparently the patch wasn't enough to stop exploit-kit developers from reverse-engineering the fix and finding a way to continue to exploit it.

Exploit kits are malicious software packages that automatically attack computers that browse to a website where one is installed, looking for software vulnerabilities and delivering malware.

Timo Hirvonen, a senior researcher at F-Secure, wrote on Tuesday that the company received an exploit sample from independent security researcher Kaffeine. The exploit appeared to still work despite Adobe's October patches.

"We considered the possibility that maybe the latest patch prevented the exploit from working [but] the root cause of the vulnerability was still unfixed, so we contacted the Adobe Product Security Incident Response Team," Hirvonen wrote. Adobe "confirmed our theory and released an out-of-band update to provide additional hardening."

Kaffeine found the Angler exploit kit was exploiting CVE-2104-8439 again just a week after Adobe's Oct. 14 patch release, with the Astrum and Nuclear exploit kits adding the same capability soon after, Hirvonen wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Adobe SystemsExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?