Adobe today released an out-of-band security update for Flash Player that patches a vulnerability the company said is currently being exploited.
Adobe Flash Player version 220.127.116.11 and earlier for Windows and Mac are affected as is 18.104.22.1685 and earlier on Linux.
The vulnerability, CVE-2014-0497, allows an attacker to remotely inject code and take control of the underlying system hosting Flash.
A complete rundown of updates in the Adobe advisory:
- Users of Adobe Flash Player 22.214.171.124 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 126.96.36.199.
- Users of Adobe Flash Player 188.8.131.525 and earlier versions for Linux should update to Adobe Flash Player 184.108.40.2066.
- Adobe Flash Player 220.127.116.11 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 18.104.22.168 for Windows, Macintosh and Linux.
- Adobe Flash Player 22.214.171.124 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 126.96.36.199 for Windows 8.0.
- Adobe Flash Player 188.8.131.52 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 184.108.40.206 for Windows 8.1.
The vulnerability was reported by Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov.
Researchers from the company’s Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.
“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.