Adobe yesterday issued an emergency out-of-band fix for three vulnerabilities in Flash: CVE-2014-0498, CVE-2014-0499, and CVE-2014-0502. The last of these is critical since it is already being exploited in the wild; and the advice is therefore to update to the latest version of Flash as soon as possible. Users of IE10 and IE11 and Google Chrome will be updated automatically, but may need to restart their browser for the update to take effect. Other users should visit the Flash download page to get the latest patched version.
A targeted attack campaign dubbed Operation GreedyWonk was described by FireEye in a blog posting yesterday. It has been using CVE-2014-0502 to compromise visitors to the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt, and the Smith Richardson Foundation were redirected to the exploit server which used the new 0-day to download a range of different malware. All three websites deal with national security and public policy issues.
"Fortunately organizations that are running latest operating systems and application code are not affected by the attack," comments Wolfgang Kandek, CTO at Qualys. "In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations." This includes certain configurations of Windows XP and Windows 7.
FireEye notes that the threat actor concerned "has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems." This actor is clearly well-resourced and is likely to remain a threat in the future.
Meanwhile, Microsoft has released a Fix it for a separate vulnerability (CVE-2014-0322) that was also found in the wild by FireEye. Fix its are not patches, but are temporary solutions until Microsoft produces a full patch. The vulnerability was discovered being used in an attack campaign dubbed Operation SnowMan by FireEye just a week ago.
Since the vulnerability only affects IE 9 and IE 10, one solution is to simply upgrade to IE11. (It is noticeable that neither the Adobe nor the IE vulnerability affect users who have upgraded to the latest versions of Windows and Internet Explorer.) The Fix it is a solution for those users who are unable, for whatever reason, to upgrade. It can be obtained from this page.