Attack code for integer underflow bug is already circulating in the wild.
Adobe has released an unscheduled update for its ubiquitous Flash media player to patch a critical vulnerability that may already be under active exploit in the wild.
The security flaw exists in Adobe Flash Player 220.127.116.11 and earlier versions for Windows and OS X and 18.104.22.1685 and earlier versions for Linux, according to an advisory published Tuesday morning. The vulnerability stems from an integer underflow bug in the underlying code that could be exploited to execute arbitrary code on the affected system. Because attackers can typically trigger such vulnerabilities surreptitiously after luring victims to websites hosting attacks, Adobe rated the threat as “critical,” the company’s highest severity category.
“Adobe is aware of reports that an exploit for this vulnerability exists in the wild and recommends users update their product installations to the latest versions,” the Adobe advisory stated. It went on to thank Alexander Polyakov and Anton Ivanov of antivirus provider Kaspersky Labs for reporting the vulnerability, which was listed as CVE-2014-0497 under the standardized common vulnerabilities and exposure disclosure system.
An Adobe spokeswoman had no further details about the in-the-wild exploit mentioned in the advisory. Frequently, such zero-day attacks are waged in highly targeted campaigns against specific individuals in a corporation or government agency. Given the risk of complete system takeover, however, all readers are advised to update their systems as soon as possible, regardless of their risk profile or the operating system they use. Updates are available here.