On February 4, Adobe released an out-of-band security update addressing a critical remote code execution vulnerability that is currently being exploited in the wild, according to the vendor’s blog post.
Our research team quickly responded to this threat, and we have already provided various protections through our products. (For details, check here.) We have learned that this vulnerability lies in the ActionScript Virtual Machine (AVM) implementations. Attackers can easily develop highly reliable exploits based on this vulnerability, so we strongly suggest that users immediately update their Flash Players.
Because the fault sits in the AVM, the weakness usually should affect almost every Flash Player version. However, according to our tests, we found that some old Flash Player versions are not affected by this vulnerability. We tested a number of recent releases (source). Here are the results:
This AVM-based vulnerability was introduced in the update of November 12, Version 11.9.900.152 or 11.7.700.252 (for Windows). Calculating the “lifetime” of this vulnerability, we see it survived for 84 days (or 12 weeks) until February 4.
Understanding the precious affected versions not only helps us understand the vulnerability more deeply, but also provides us a trustworthy way to evaluate the risk that the in-the-wild exploit poses. This case also highlights that product/security updates can not only fix vulnerabilities, but also can introduce new vulnerabilities, especially when new features are introduced.
Users of older Flash Players (specifically, those older than Versions 11.9.900.152 or 11.7.700.252) should still perform security updates. They may be lucky to not be affected by this particular threat, but all versions of Flash are at risk for other exploits.
Thanks to my colleagues Jun Xie, Bing Sun, Chong Xu, and Xiaoning Li (Intel Labs) for their help with this analysis.