Flash update fixes bug unrelated to IE zero-day flaw
Adobe and Microsoft patch a critical zero-day security flaw in Adobe's Flash Player that is actively being used to target Windows users, but the bug is different from an unpatched hole in Internet Explorer.
Adobe and Microsoft have updated Flash Player across multiple platforms with an emergency zero-day bug fix on Monday, one that is different from the severe exploit that uses a well-known Flash exploit technique to plague Internet Explorer.
Adobe issued the update for all instances of Flash on Windows, Mac, and Linux, although only Windows versions of Flash were actively being exploited. The bug was used in "watering hole" attacks, which target people of a specific background who were visiting a unique website. Security firm Kaspersky, which discovered the bug, reported that in this case the attacks used a Flash video and image processing component to target Syrian dissidents.
Microsoft has updated automatically its versions of Internet Explorer that come with Flash processing libraries built in. The bug, which has been designated CVE-2014-0515, shares many similarities to CVE-2014-1776, a new Internet Explorer zero-day so severe that the Department of Homeland Security advised people to stop using the browser, but they are not the same.
That bug allows hackers to run malicious code and attack financial and defense groups in the US, said security firm FireEye, and affects Internet Explorer 6 through 11. FireEye had determined that IE 9, 10, and 11 were actively being attacked, making up more than 26 percent of the browser market.
Internet Explorer is currently used by around 55 percent of the desktop browser market, according to NetMarketShare, while StatCounter says that 22.58 percent of people surveyed use IE. While the disparity is large, in either case the flaw affects a huge number of browsers being actively used.
Correction, 2:54 p.m. PT: The headline and story have been changed to reflect that the Adobe Flash zero-day security fix is different from the unfixed Internet Explorer zero-day.