Hot on the heels of the Internet Explorer zero day vulnerability for which Microsoft issued an out-of-band security advisory last Saturday, the company put out another emergency advisory on Monday. Unlike the IE advisory, though, the patch was already available. Also unlike the IE vulnerability, this one wasn’t a problem with Microsoft’s code – but with Adobe’s. And although Microsoft is distributing the update for Windows through Windows Update, the problem isn’t confined to Windows machines; it also affects Mac- and Linux-based computers.
The bad news is that this is yet another remote code execution vulnerability, which means it could be exploited to allow an attacker to take control of the system. The really bad news is that it’s already being exploited in the wild, so it’s vitally important to get the vulnerable systems patched as soon as possible. The vulnerability is of the buffer overflow variety.
Microsoft’s advisory indicates that only newer versions of Windows are affected: Windows 8, 8.1 and both versions of RT, as well as Server 2012 and 2012 R2. Both Internet Explorer 10 and 11 are impacted. The Server Core installation of Server 2012/2012 R2 are not affected since they don’t have web browsers installed.
The exploit is web-based, so the attacker would need to convince users to visit a web site where the malicious code is hosted – either a site run by the attacker or a legitimate site that allows upload of user-provided content or advertising.
Microsoft advises that the update should be applied even on machines where Internet Explorer is not used for web browsing, because some Microsoft Office applications can invoke Flash Player in IE. The good news is that the IE modern app on Windows 8 and above only plays Flash on web sites that are on the Compatibility View (CV) list; this makes exploit more difficult because an attacker would have to compromise a site that is on the CV list. In addition, IE runs by default in Enhanced Security Configuration mode on the server operating systems so, unless that setting has been changed, exploitation is less likely on a server.
If you don’t want to apply the update for some reason (or it fails to install), there is an obvious workaround: disable Adobe Flash Player. You can do this by setting the kill bit for it in the Windows registry. Administrators can also prevent Flash Player from running on individual machines or groups of machines by using Group Policy to block it. However, you will need to change two separate Group Policy settings to keep it from being invoked by Office applications as well as to prevent it from running in IE when a web site is visited.
You can find more information and full instructions on various workarounds and the steps for implementing them in Microsoft Security Advisory 2755801 – but if possible, the best solution is to apply the update to all of your Windows PCs.
If you want to check whether a system has been updated already, the new Flash version is 220.127.116.11 for Windows and Mac and 18.104.22.1686 for Linux. Chrome will receive the update through its automatic update mechanism. Adobe has labeled the vulnerability as critical and has given the update a priority rating of 1 (highest priority) on Windows and Mac and on Chrome for Linux. The rating for Linux is a 3.
You can find links to the update for all affected operating systems/browsers in Adobe’s security bulletin for vulnerability identifier APSB14-13.