NEWS FROM THE LAB - Tuesday, November 25, 2014

Out-of-Band Flash Player Update for CVE-2014-8439 Posted by Timo @ 16:35 GMT

Adobe has released an out-of-band update to fix a vulnerability in Flash Player which was reported by F-Secure.

We discovered the vulnerability while analyzing a Flash exploit from an exploit kit called Angler. We received the sample from Kafeine, a renowned exploit kit researcher. He asked us to identify the vulnerability which was successfully exploited with Flash Player but not with That would imply the vulnerability was something patched in APSB14-22. However, based on the information that we had received via Microsoft Active Protections Program the exploit didn't match any of the vulnerabilities patched in APSB14-22 (CVE-2014-0558, CVE-2014-0564, or CVE-2014-0569).

We considered the possibility that maybe the latest patch prevented the exploit from working and the root cause of the vulnerability was still unfixed so we contacted the Adobe Product Security Incident Response Team. They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution, CVE-2014-8439.

Kafeine reported Angler exploiting this vulnerability already in October 21st 2014, soon followed by Astrum and Nuclear exploit kits. Considering the exploit kit authors reverse engineered October's Flash update in two days, installing the update immediately is paramount, whether you do it manually or automatically.

F-Secure detects the Flash exploits mentioned in this post with the following detections:

  •  Exploit:SWF/Salama.H
  •  Exploit:SWF/CVE-2014-0515.C

Post by — Timo