Adobe sounds alarm on Flash zero-day attacks
Hard on the heels of last week's Reader bug, reveals zero-day vulnerability in popular Flash
Computerworld - Less than a week after warning users that hackers were exploiting an unpatched bug in its Reader PDF viewer, Adobe said on Monday that Flash, its other prominent program, was also under fire.
The company said it would patch Flash in two weeks, and Reader in three weeks.
In a new security advisory on Monday, Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system," the advisory read.
The warning credited Steven Adair of the Shadowserver Foundation for reporting the vulnerability. Representatives of Shadowserver did not immediately reply to questions late Monday.
An Adobe spokeswoman characterized the attacks as "limited" and "targeted," and aimed only at Windows users.
The same bug is also present in Adobe Reader and Acrobat, the company's free PDF viewer, and its commercial PDF creation tool. That's not unusual, because both Reader and Acrobat include code to run Flash content embedded in PDF documents. A bug in Adobe's media player often requires a patch for the PDF programs as well.
Adobe said it has no reports of attacks exploiting the Flash bug in Reader or Acrobat.
Monday's warning was the second since Sept. 8, when Adobe issued an advisory about a different unpatched, or "zero-day," vulnerability in Reader and Acrobat. Experts have said hackers began exploiting the Reader-Acrobat bug about the beginning of the month.
Those attacks have been dubbed "David Leadbetter" after the golf swing coach whose name was used in the subject lines of e-mails that included rigged PDFs.
The attacks have been called "scary" and "clever" for the way they sidestep important Windows defenses.
Adobe said it would update Flash to fix that program's flaw in two weeks, sometime during the week of Sept. 27.
The two bugs in Reader and Acrobat -- the one disclosed last week and Monday's -- will be patched in the week of Oct. 4 with an emergency, or "out-of-band" security update.
Unlike Flash, Reader and Acrobat are supposed to receive updates on the second Tuesday of every third month. Adobe was to patch Reader and Acrobat on Oct. 12, but has ditched that in lieu of the rush update.
This will make two consecutive quarters that Adobe has had to abandon its usual patch schedule because of zero-day attacks. In late June the company released an emergency Reader update two weeks ahead of an already-slated July 13 update.
Reader's early October patch will also be its third rush fix in little more than three months.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts