Adobe have released yet another patch in a long line of updates designed to combat the many exploits, holes, and vulnerabilities that seem to inherently come with the Flash Player and its associated applications.
This time around Adobe claims the patch is to solve an issue that left three non-profit policy websites vulnerable to an attack from unknown sources, a problem which was first brought to their attention by the security researchers at FireEye Internet Security.
In technical speak, the update will supposedly “resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498)”, repair “a memory leak vulnerability that could be used to defeat memory address layout randomization [ASLR] (CVE-2014-0499), and stomp out “a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).”
As for now, the exploit only targets systems running Windows or Mac OSX with Flash Player version 18.104.22.168 and below. The new version, 22.214.171.124, seeks to address an issue that was causing the websites in question to unintentionally infect anyone who visited with a bug designed to build the outer scaffolding and internal foundation of a good old fashioned classic botnet.
The botnet was potentially commissioned to gather intelligence on its subjects, as two of the three infected sites are dedicated to privacy and public policy in one way or another.
One mild sign of relief is that this bug needed a very particular set of variables to be in place in order to function properly, relying on a PC that was running both Windows 7 (or XP), and Microsoft Office 2007 or 2010. Without both components installed, the virus is unable to initiate the download of the malicious image files to launch the attack, so as long as you run any other programs like Google Drive or OpenOffice to manage your documents instead of Office, you should be fine.
Also worth mentioning — if you use Google Chrome or IE10 to surf the web, you should have already received the patch automatically through each browser’s respective update service, and if not, you can always head over to Adobe’s download page to manually install the fix on your own.