Adobe has released a security update to patch seven vulnerabilities found in their Flash and Air platform, and one vulnerability found in its Reader and Acrobat program. Adobe notes the attack is begin exploited in the wild “in limited, isolated attacks targeting Adobe Reader users on Windows.”
The newly uncovered vulnerabilities gives the attacker the ability to “take control of affected systems” and has been marked critical by the company.
Adobe’s critical patch addresses a zero-day vulnerability (CVE-2014-0546) in Adobe Reader and Adobe Acrobat that allows attackers the possibility to bypass sandbox protection on Windows and has been abused in ongoing attacks against Windows users.
“These updates resolve a sandbox bypass vulnerability that could be exploited to run native code with escalated privileges on Windows,” Adobe warned.
The single vulnerability uncovered in Adobe Acrobat and Reader was discovered by Kaspersky Lab Global Research and Analysis Team Director, Costin Raiu and Vitaly Kamluk. Details on the vulnerability were not disclosed, yet Raiu said in a blog post that active exploits have been found in a rare number of targeted attacks.
“At the moment, we are not providing any details on these attacks as the investigation is still ongoing,” Raiu writes. “Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.”
Adobe Acrobat and Reader for Apple OS X are not vulnerable, only versions 11.0.07 and earlier are affecting Windows users, the company reports.
The other seven updates Adobe patched reside in Flash player and a majority were rated critical by the company itself. In hindsight, Adobe did find any of the Flash player vulnerabilities begin exploited in the wild.
Five of the seven updates resolved memory leakage vulnerabilities that allowed attackers to bypass memory address randomization, while the other two address a security bypass flaw and a user-after-free flaw that could allow an attacker to remotely execute code on affected systems.
Affected versions are:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
- Adobe Flash Player 22.214.171.1244 and earlier versions for Linux
- Adobe AIR 126.96.36.199 and earlier versions for Windows and Macintosh
- Adobe AIR 188.8.131.52 SDK and earlier versions
- Adobe AIR 184.108.40.206 SDK & Compiler and earlier versions
- Adobe AIR 220.127.116.11 and earlier versions for Android
Adobe is urging its customers to apply the patches immediately or within three days if on Windows, Mac or Linux based operating systems. Updates for Flash player can be found on the official Adobe Flash Update page (beware of additional pre-checked installs), and Acrobat and Reader can be updated throughout the application by navigating to Help > Check for Updates.