It goes without saying, most people do not patch right away, and if you fall into that category, watch out because if you did not update Flash Player with the fixes released Oct. 14, attacks are at your doorstep.
New attacks using a commercial exploit kit called Fiesta is hitting the vulnerability hard, researchers said. The vulnerability, CVE-2014-0569, ended up fixed in Flash Player updates last week.
The bundling of an exploit for CVE-2014-0569 in an attack tool sold on underground markets is unusual, especially since Hewlett-Packard’s Zero Day Initiative (ZDI) program privately reported the vulnerability to Adobe, which meant its details should not be public.
The creators of exploit kits like Fiesta typically reuse proof-of-concept exploits published online by researchers or included in legitimate penetration testing tools like Metasploit. That’s because reverse engineering patches to discover vulnerabilities and then writing reliable exploits for them requires advanced knowledge, which means professionals are in charge.
The use of custom, non-public exploits is much more common in targeted cyberespionage campaigns than in mass-scale drive-by download attacks that favor a catch-all approach and are typical to attackers using commercial exploit kits.
The use of a CVE-2014-0569 exploit in a Fiesta-powered attack first came to light via an independent malware researcher known online as Kafeine. Initially he believed the exploit targeted a Flash vulnerability called CVE-2014-0556 that ended up patched in September, but Timo Hirvonen, a researcher at F-Secure, later determined it actually attacked the much newer flaw.
Regardless of where the exploit came from, users who have not yet installed the latest Flash Player updates should do so as soon as possible; especially companies that do not allow automatic updates.
Windows and Mac users should update to Flash Player 18.104.22.168, or 22.214.171.124 if they’re using the extended support release. Users of Flash Player on Linux should upgrade to version 126.96.36.1991. The Flash Player plug-ins bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will receive patches though the update mechanisms of those browsers.