Recently, Adobe published the second update (APSB14-26) of Adobe Flash, an out-of-band release that, together with unexpected Microsoft fixes, makes this month an unusual one for Patch Tuesday. After addressing 18 CVEs in the November 11 update (APSB14-24), the new version of Flash has only a single fix for CVE-2014-8439. Adobe does not say why this CVE is so important that it warrants this unexpected release, but it points out that a mitigation for this problem had been introduced already in APSB14-22 in October.
Featured Download: Social media access at work. Do your employees know the rules?
They acknowledge the work of a trio of security researchers that are all quite involved in malware detections in the wild (Sébastien Duquette of ESET, Timo Hirvonen of F-Secure ,and Kafeine from malware.dontneedcoffee.com) which makes me think that they have seen the initial signs of exploitation attempts. I would address the flaw as quickly as possible.
Internet Explorer 10 and 11 and Google Chrome will autoupdate Flash, whereas on other browsers you will have to run the update yourself. You can use our free BrowserCheck tool to get a quick overview of the security situation on your desktop or laptop. With the BrowserCheck Business Edition, you can even control a small network and see how your users are keeping their machines at the latest level.
By Wolfgang Kandek, CTO of Qualys, Inc.
About Qualys, Inc.
The Qualys Cloud Platform and integrated suite of solutions helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
Used by more than 6,700 customers in over 100 countries, including a majority of the Forbes Global 100, the Qualys Cloud Platform performs more than 1 billion IP scans/audits a year resulting in over 400 billion security events.Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Council on CyberSecurity and the Cloud Security Alliance (CSA).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.