Skip to main content

Adobe releases emergency "critical" patch for Flash vulnerability

Adobe has released a second security update to fix a critical remote-code execution vulnerability, after the initial patch proved unsuccessful.

The update for its Flash plugin, version, is considered a top priority, hence why it has been released outside of the usual security fix cycle. Adobe normally launches security patches on the second Tuesday of every month.

Read more: Kaspersky and F-Secure claim prior knowledge of Regin trojan

Users operating Windows, OS X and Linux platforms have been advised to update their software to protect against the vulnerability, which is triggered by opening a specially created Flash file.

According to F-Secure, attackers originally used the Angler malware kit to exploit the security flaw, injecting malicious code into the software.

Adobe’s original attempt to patch the vulnerability prevented the first wave of attacks, but failed to correct the underlying programming error at the heart of the issue. This allowed malware scammers to modify their exploit code and continue their assault.

"We considered the possibility that maybe the latest patch [from October] prevented the exploit from working and the root cause of the vulnerability was still unfixed, so we contacted the Adobe Product Security Incident Response Team," F-Secure explained.

"They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution."

Read more: Just how vulnerable is the US to cyber attacks?

Adobe has officially recognised that this week’s update is necessary to shore up the defensive hole still present following October’s unsuccessful patch.