Adobe out-of-band patch for Flash vulnerability

Today Adobe published an out-of-band patch for a critical vulnerability in the Adobe Flash Player. Adobe is aware of attack in the wild that target the Windows platform and recommends installing update APSB14-13 as quickly as possible. The most likely attack vector is a webpage that contains a malicious SWF file and a  successful attacker can gain control of the targeted machine.

Kaspersky has a blog post with more information in it: according to their telemetry the first instances of the attacks were detected on April 9th and come embedded in an uncompressed video file. They also note that they have received two variants of the exploit, with one specifically targeting users of Cisco MeetingPlace Express, characterizing this a quite specific spear-phishing type of attacks.

BTW, it is our understanding that this vulnerability is independent from Microsoft’s current 0-day in Internet Explorer, where the exploit also used Flash to setup the environment.

Anyway, we recommend updating your Flash player as quickly as possible.