Adobe has published a Security Bulletin for the Adobe Flash Player CVE-2014-0515 Buffer Overflow Vulnerability (CVE-2014-0515). The new Security Bulletin, APSB14-13, identifies a buffer overflow vulnerability that affects various versions of Adobe Flash Player across multiple platforms. Exploitation of this critical vulnerability could allow an attacker to remotely execute arbitrary code. Adobe has acknowledged that exploitation of the vulnerability has been reported in the wild. Further details indicate it has been used in targeted attacks.
Per the bulletin, the following versions of Adobe Flash Player are vulnerable:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows
- Adobe Flash Player 22.214.171.124 and earlier versions for Macintosh
- Adobe Flash Player 126.96.36.1990 and earlier versions for Linux
Symantec Security Response is continuing to monitor the situation for additional information related to this vulnerability and will provide further guidance once it is available. We recommend applying the vendor supplied patches to mitigate possible exploitation. Updates can be obtained directly from the Adobe Flash Player Download Center or by accepting the update prompt through the installed product. Versions of Flash Player embedded in Chrome and Internet Explorer can be updated to non-vulnerable versions by updating the respective browsers.
Update – April 29, 2014:
Symantec protects customers against this attack with the following detections:
Web Attack: Adobe Flash Player CVE-2014-0515
Symantec customers that use the Symantec.Cloud service are also protected from emails containing this exploit.