November Patch Tuesday – Part 3
Last updated on: October 27, 2022
Yesterday Adobe published the second update (APSB14-26) of Adobe Flash this month, an out of band release. After addressing 18 CVEs in the November 11 update (APSB14-24), the new version of Flash has only a single fix for CVE-2014-8439. Adobe does not say why this CVE is so important that it warrants this unexpected release, but points out that a mitigation for this problem had been introduced already in APSB14-22 in October.
They acknowledge the work of a trio of security researchers that are all quite involved in malware detections in the wild (Sébastien Duquette of ESET, Timo Hirvonen of F-Secure and Kafeine from malware.dontneedcoffee.com) which makes me think that they have seen the initial signs of exploitation attempts. I would address the flaw as quickly as possible.
Internet Explorer 10 and 11 and Google Chrome will autoupdate Flash; on other browsers you will have to run the update yourself. You can use our free BrowserCheck tool to get a quick overview of the security situation on your desktop or laptop. With the BrowserCheck Business Edition you can even control a small network and see how your users are keeping their machines at the latest level.