Adobe finds, patches ANOTHER exploited Flash 0day
One down, one to go.
Another exploited zero-day vulnerability has been uncovered and patched in Adobe Flash, 24 hours after a second flaw in the popular web trinket was found being used in attack kits.
Adobe is examining yesterday's zero day, picked up by French researcher Kafeine who spotted it after analysing a version of the popular Angler exploit kit.
The vulnerability affected Flash Player versions up to 18.104.22.168 and the latest 22.214.171.1247.
The latest zero-day, now fixed in a rare emergency patch for Windows, Mac and Linux, was being used by attackers to circumvent memory randomisation mitigations in Windows.
"These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform," Adobe said in an advisory.
Further analysis of the unpatched zero-day has revealed it now affected Windows 8.1 running Internet Explorer 11, the latest suite of Redmond's wares.
However the attack appeared to fail when Microsoft's lauded Enhanced Mitigation Experience Toolkit was used, the preliminary analysis found.
That last piece of news will boil the blood of black hats who typically invest significant resources into developing zero day exploits, even more so since Adobe changed its security spots and became a tougher nut to crack.
That change owes much to Adobe security boss Brad Arkin who implemented a strategy that sped the time-to-patch from 10 weeks in 2009 when Arkin joined as a product security bod to a recent record of 36 hours.
In October he told Australian security bodsto focus on increasing the cost of exploitation, rather than firing fixes. ®