French researcher Kafeine found the exploits in the Angler and Nuclear kits less than a week after Adobe released an update Oct. 14.
The update addressed three CVEs, all of which could lead to memory corruption or integer overflows, enabling attackers to remotely load and execute code on the compromised computer. Today’s patch adds CVE-2014-8439, reported by Kafeine to Adobe.
“These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution,” Adobe said today in its advisory.
Fiesta and Angler are used to compromise vulnerable websites and redirect site visitors to sites hosting banking malware, malvertising schemes and other attacks. Flash Player bugs are among the most common vulnerabilities exploited by such kits, as well as Java and Microsoft Silverlight vulnerabilities.
The inclusion of the Oct. 14 CVEs in the exploit kits was worrisome to Kafeine, who does extensive research into these attack tools, noting that an attacker likely found a way to reverse-engineer the Adobe patch in order to drop it in the EK inside of a week.
Kafeine said that the Adobe patches released on Oct. 14 likely protected users from the active exploits, but the vulnerability remained exposed to future exploit development.
Today’s update moves Flash Player to version 184.108.40.206 for Windows and Macintosh users, and 220.127.116.114 for Linux users. Chrome and Internet Explorer users will be updated automatically by Google and Microsoft respectively.
Another Adobe exploit in Angler was reported last week, also by Kafeine.
This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers.
“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” he said in a blog post.