After failing to fully patch a security hole found in Flash last month, Adobe has released another fix that aims to patch up the vulnerability for good.
The security fix is for the flaw called CVE-2014-8439, for which a first security patch was released a week after it was discovered by independent security researcher Kafeine and reported by Finland-based security firm F-Secure to be used in an in-the-wild exploit that attacks the user's web browser and install malicious software.
Adobe recommends that all users update their Flash Player to the latest version. Windows and Mac users should update to version 15.0.0.189, while Linux users should use Flash 11.2.202.411. Flash Extended Support Release should update to 13.0.0.250. Both Google and Microsoft will also automatically update Chrome and Internet Explorer 10 and 11 to install the security patch, although users can also update their browser plugins for Flash by downloading it from the Adobe Flash Player Download Center.
Adobe released the first security update to CVE-2014-8439 and three other known issues on Oct. 14. Unfortunately, developers exploiting the vulnerability found a way to get around the fix and were able to continue with the attacks.
On Tuesday, security researcher Timo Hirvonen of F-Secure said that he received an exploit sample from Kafeine which showed that the attacks were still ongoing even after the patch has been released. Hirvonen said Kafeine discovered the Angler exploit kit continuing to exploit the vulnerability just days after Adobe released the first patch. This was soon followed by the discovery of the exploit kits Astrum and Nuclear.
Exploit kits are toolkits that allow hackers to take advantage of security holes found in software to install malware in the user's system. When a user visits a compromised website, he is redirected through a series of intermediary servers until he lands on the rogue server that implants the malicious software into his computer.
"We considered the possibility that maybe the latest patch prevented the exploit from working and the root cause of the vulnerability was still unfixed so we contacted the Adobe Product Security Incident Response Team," Hirvonen said.
"They confirmed our theory and released an out-of-band update to provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution, CVE-2014-8439," he added.
