The 0-day flaw in Flash CVE-2014-0502 was discovered about a week ago by FireEye which states that it was found on three websites that are run by non-profit institutions. Fortunately organizations that are running latest operating systems and application code are not affected by the attack. They lack the vulnerable components that enable the attack to come to a successful conclusion.
In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:
- Windows XP (which does not have ASLR)
- Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits
- Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits.
Microsoft has updated advisory KB2755801 which centralizes the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.
Author: Wolfgang Kandek, CTO, Qualys.