Adobe has published a Security Bulletin for Adobe Flash Player CVE-2014-0497 Remote Code Execution Vulnerability (CVE-2014-0497). The new Security Bulletin, APSB14-04, identifies an integer underflow vulnerability which affects various versions of Adobe Flash Player across multiple platforms. Exploitation of this critical vulnerability could allow an attacker to remotely execute arbitrary code. Adobe has acknowledged that exploitation of the vulnerability has been reported in the wild.
Per the bulletin, the following versions of Adobe Flash Player are vulnerable:
- Adobe Flash Player 22.214.171.124 and earlier versions for Windows and Macintosh
- Adobe Flash Player 126.96.36.1995 and earlier versions for Linux
Symantec Security Response is continuing to monitor the situation for additional information related to this vulnerability and will provide further guidance once it is available. We recommend applying the vendor supplied patches to mitigate possible exploitation. Updates can be obtained directly from the Adobe Flash Player Download Center or by accepting the update prompt through the installed product. Versions of Flash Player embedded in Chrome and Internet Explorer can be updated to non-vulnerable versions by updating the respective browsers.