Adobe Issues Out-of-band Emergency Flash Player Update

Adobe credits Alexander Polyakov and Anton Ivanov of Kaspersky Lab for discovery of the vulnerability
Adobe credits Alexander Polyakov and Anton Ivanov of Kaspersky Lab for discovery of the vulnerability

Adobe says nothing else about the current exploit, although it credits Alexander Polyakov and Anton Ivanov of Kaspersky Lab for discovery of the vulnerability.

Over on ThreatPost, the Kaspersky Lab news service, Michael Mimoso reports on the Adobe update, and adds, "Researchers from the company’s [Kaspersky Lab's] Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild." There is no direct association between the Adobe fix and The Mask – but the inference is clear.

That Securelist announcement is equally obscure; but is clearly a teaser for what Kaspersky believes will be a major announcement next week. Since Flame and Stuxnet and RedOctober are also mentioned in the announcement, readers are being primed to expect information on a new state-sponsored cyber-espionage campaign – but perhaps from a different and unexpected quarter.

It seems likely – but is not specified – that this campaign ("which has been going on at least since 2007, infecting victims in 27 countries") is making use of the Flash flaw. But whether this is true or not it is clear that Adobe considers the matter to be urgent – it has rushed out its update just one week ahead of its standard monthly patch cycle.

Interestingly, Microsoft has issued its own advisory (by updating an original advisory dating from September 2012); but has not at this stage added it to its automatic update regime. "Today’s advisory isn’t considered a bulletin with patches – it’s an advisory with a file you can download," comments Tyler Reguly, the manager of Tripwire’s vulnerability and exposure research Team (VERT). "I'm still a firm believer that Microsoft has made a mistake with the advisory route and that some will overlook this update because it isn't a Bulletin.”

The danger is that Windows users (who don't use the automatically updated browsers IE10, IE11 and Chrome) will leave themselves unnecessarily exposed to an actively exploited Flash threat.

What’s Hot on Infosecurity Magazine?