Adobe patches latest Flash zero-day
Google Chrome users got the the update Thursday
Computerworld - Adobe today patched a critical vulnerability in Flash Player that the company said criminals were already exploiting with malicious Microsoft Word and Excel documents.
On Monday, Adobe acknowledged the bug, said exploits were circulating, and promised to fix the flaw with an emergency update.
Today's update was Adobe's second rush patch in less than four weeks.
The new version, Flash Player 10.2.159.1, is available for Windows, Mac, Linux and Solaris.
Missing from that list is Android, the Google mobile operating system that also runs Flash. A fix for the same flaw will be issued to Android users no later than the week of April 25, said Adobe.
Adobe will patch the popular PDF viewer Adobe Reader that same week. The Flash vulnerability also exists in Reader and the more advanced Acrobat because both include code that renders Flash content embedded in PDF files.
Although initial attacks were launched using malicious Word attachments, hackers later expanded the campaign to include malformed Excel files, according to Mila Parkour, the independent security researcher who reported the Flash flaw to Adobe.
Parkour, who has been tracking the attacks for more than a week, has published information about them on her Contagio Malware Dump blog.
Some of the earliest messages in the attack tried to get recipients to open the attached Word or Excel files by claiming they offered information on China's antitrust laws, or a purported Japanese nuclear weapons program. Later messages were more mundane, and posed as corporate reorganization plans or new company contact lists.
Parkour also traced the resulting malware's "phone-home" communications to a server registered in China, and noted that some of the malicious Word and Excel documents had been originally crafted in Chinese.
Google updated its Chrome browser -- which includes a copy of Flash Player -- Thursday, fixing not only the Adobe bug but a trio of critical vulnerabilities in the browser's hardware acceleration technology. Like Internet Explorer and Firefox, Chrome taps the computer's graphics processor (GPU) to handle some page composition and rendering tasks.
Google usually tags as "critical" only those bugs that attackers could use to escape the browser's "sandbox," an anti-exploit technology designed to prevent malicious code from escaping the browser.
Users running other browsers can download the patched version of Flash Player from Adobe's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!