Adobe on Tuesday released an out-of-band security update to address a critical zero-day security vulnerability in Adobe Flash Player that could allow an attacker to remotely take control of an affected system.
Adobe has released security updates for Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh and Adobe Flash Player 18.104.22.1685 and earlier versions for Linux.
Adobe said that the vulnerability (CVE-2014-0497), reported to Adobe by Alexander Polyakov and Anton Ivanov of Kaspersky Lab, has an exploit that exists in the wild.
Interestingly, Kaspersky Lab said earlier this week that it has been investigating a sophisticated malware that leverages high-end exploits, and includes a bootkit and rootkit, and also has versions for Mac OS and Linux.
Neither Adobe nor Kaspersky Lab disclosed if the vulnerability patched today by Adobe has any connection to the cyber-espionage operation that Kaspersky Lab is calling “one of the most advanced threats at the moment”.
“Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions,” the company said.
An entry into the National Vulnerability Database for CVE-2014-0497 has not yet been created.
Adobe urged users should to update their software to the latest versions of Adobe Flash Player:
• Users of Adobe Flash Player 22.214.171.1245 and earlier versions for Linux should update to Adobe Flash Player 126.96.36.1996.
• Adobe Flash Player 188.8.131.52 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 184.108.40.206 for Windows, Macintosh and Linux.
• Adobe Flash Player 220.127.116.11 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 18.104.22.168 for Windows 8.0.
• Adobe Flash Player 22.214.171.124 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 126.96.36.199 for Windows 8.1.
If there is any connection between CVE-2014-0497 and the operation dubbed “The Mask” by Kaspersky Lab, it will not likely be disclosed until the company shares the details of its findings at the Kaspersky Security Analyst Summit 2014 (SAS), taking place next week in Punta Cana, Dominican Republic.