A Flash Player security vulnerability that has been patched by Adobe in the most recent update of the product has been added to a commercial exploit kit, named Fiesta, known for the drive-by attacks it is used in. The flaw Fiesta exploits can lead to executing arbitrary code on the compromised machine. It has been identified as CVE-2014-0569.
It is quite untypical for hackers to include an exploit for a vulnerability that has been recently patched in their attacks. The flaw has been discovered by a researcher working with HP’s Zero Day Initiative and disclosed to Adobe privately. Customarily the researcher who has found the glitch provides full details on the flaw, as well as proof-of-concept material. Full privacy is required in such cases in order to avoid any chance the cyber criminals get their hands on the exploit code of the vulnerability.
Another researcher, Kafeine, detected the improved version of Fiesta and immediately sent it to the security company F-Secure for analysis, where the specialists confirmed that an exploit for CVE-2014-0569 has been integrated in Flash versions below 15.0.189. Kafeine initially thought this was an older vulnerability (CVE-2014-0556), but an analyst from F-Secure pointed out that the new glitch is being exploited.
Regardless of the origin of the vulnerability, computer users who haven’t installed the latest Flash updates yet, should do it immediately. This is especially important when it comes to large companies, where the patch deployment takes longer because automatic software updates are disabled.