Adobe has released the second critical security update for its Flash Player plug-in in less than three weeks.
Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.
The latest update addresses a zero-day exploit reported by security firm FireEye that targeted visitors of at least three non-profit websites.
FireEye said the Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation were all compromised using remote code injection.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.
The security firm’s researchers said the attacks may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft, attack infrastructure and malware configuration.
Read more about Adobe Flash security
- Adobe issues critical Flash Player update
- Adobe releases security update for Flash Player
- Adobe patches Flash Player vulnerability being actively targeted
- Adobe unveils Edge tools for mobile development
- Adobe gears up for Flash to HTML5 migration
- Adobe Flash Player security update fixes flaws, issues Firefox shield
- UK partners pressure Adobe to keep Flash Player on Android store
- Adobe pushes patch for actively exploited Flash Player vulnerability
FireEye said they believe those responsible for the attacks have sufficient resources, such as zero-day exploits, and are committed to infecting those visiting foreign and public policy websites.
“The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye said in a blog post.
In a security bulletin, Adobe said the updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe Flash Player and AIR versions affected
The following versions of Adobe Flash Player and Adobe AIR are affected:
- Adobe Flash Player 22.214.171.124 and earlier versions for Windows and Macintosh
- Adobe Flash Player 126.96.36.1996 and earlier versions for Linux
- Adobe AIR 188.8.131.520 and earlier versions for Android
- Adobe AIR 184.108.40.2060 SDK and earlier versions
- Adobe AIR 220.127.116.110 SDK & Compiler and earlier versions
The new version of Flash Player for Windows and Mac is 18.104.22.168 while the newest for Linux is 22.214.171.1241.