Adobe today released an out-of-band security update for Flash Player that patches a vulnerability the company said is currently being exploited.

Adobe Flash Player version 12.0.0.43 and earlier for Windows and Mac are affected as is 11.2.202.335 and earlier on Linux.

The vulnerability, CVE-2014-0497, allows an attacker to remotely inject code and take control of the underlying system hosting Flash.

A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.
  • Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.
  • Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.
  • Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

The vulnerability was reported by Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov.

Researchers from the company’s Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Categories: Vulnerabilities