Adobe has released the second critical security update for its Flash Player plug-in in less than three weeks.
Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.
The latest update addresses a zero-day exploit reported by security firm FireEye that targeted visitors of at least three non-profit websites.
FireEye said the Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation were all compromised using remote code injection.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.
The security firm’s researchers said the attacks may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft, attack infrastructure and malware configuration.
Read more about Adobe Flash security
- Adobe issues critical Flash Player update
- Adobe releases security update for Flash Player
- Adobe patches Flash Player vulnerability being actively targeted
- Adobe unveils Edge tools for mobile development
- Adobe gears up for Flash to HTML5 migration
- Adobe Flash Player security update fixes flaws, issues Firefox shield
- UK partners pressure Adobe to keep Flash Player on Android store
- Adobe pushes patch for actively exploited Flash Player vulnerability
FireEye said they believe those responsible for the attacks have sufficient resources, such as zero-day exploits, and are committed to infecting those visiting foreign and public policy websites.
“The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye said in a blog post.
In a security bulletin, Adobe said the updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe Flash Player and AIR versions affected
The following versions of Adobe Flash Player and Adobe AIR are affected:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
- Adobe Flash Player 22.214.171.1246 and earlier versions for Linux
- Adobe AIR 126.96.36.1990 and earlier versions for Android
- Adobe AIR 188.8.131.520 SDK and earlier versions
- Adobe AIR 184.108.40.2060 SDK & Compiler and earlier versions
The new version of Flash Player for Windows and Mac is 220.127.116.11 while the newest for Linux is 18.104.22.1681.