Adobe released an emergency update to fix a security hole in the Flash Player browser plugin.
Wolfgang Kandek CTO Qualys had the following comments:
Adobe came out today with an out-of-band patch (APSB15-14) for their Flash Player, the fifth time that Flash has required an out-of-band fix for a 0-day. Fireeye had notified them of a critical vulnerability (CVE-2015-3113) that they discovered in use in Asia. They believe it was developed by the group called APT3 and usedin targeted attacks against a number of industries. The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP.
Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don’t recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe.
[su_box title=”Winston Bond, European Technical Manager, Arxan Technologies” style=”noise” box_color=”#336588″]
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud security and compliance solutions with over 7,700 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The Qualys Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, Accuvant, BT, Cognizant Technology Solutions, Dell SecureWorks, Fujitsu, HCL Comnet, InfoSys, NTT, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA).[/su_box]