14 DAY TRIAL // A security flaw in Flash Player, addressed by Adobe in the latest update of the product, has been included in Fiesta, a commercial exploit kit used for drive-by attacks.
The vulnerability the exploit kit takes advantage of is identified as CVE-2014-0569, an integer overflow that can lead to executing arbitrary code on an affected machine.
It is unusual for cybercriminals to include an exploit for a recently patched flaw in their tools, especially since the glitch was disclosed privately to Adobe by researcher Bilou, who works with HP’s Zero Day Initiative.
Generally, when disclosing a vulnerability responsibly, the security researcher making the discovery provides details about the flaw and maybe proof-of-concept material in a private manner.
This means that the exploit code, exactly what cybercriminals need to take advantage of the weakness, is not leaked to third-parties.
French security researcher Kafeine found the improved variant of Fiesta and sent it to F-Secure for analysis, who determined that an exploit for CVE-2014-0569 in Flash versions below 15.0.0.189 had been integrated
Kafeine thought at the beginning that an older vulnerability, CVE-2014-0556, had been leveraged by the exploit kit, but Timo Hirvonen of F-Secure pointed to the newer glitch being taken advantage of.