Adobe patches second Flash zero-day in 9 days
Hackers exploiting bug, company confirms as it also updates Reader, ShockWave and ColdFusion
Computerworld - For the second time in nine days, Adobe on Tuesday patched a critical vulnerability in Flash Player that hackers were already exploiting.
Adobe also updated its popular Reader PDF viewer to quash 13 new bugs and several older ones the company had not gotten around to fixing.
The memory corruption vulnerability in Flash Player was pegged "critical" by Adobe, which said that the bug could "potentially allow an attacker to take control of the affected system" in an accompanying advisory. "There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages," the advisory added.
Adobe last issued an emergency update -- dubbed "out-of-band" -- on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials.
Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists, with messages that tried to trick them into entering their username and password on a fake Gmail login screen.
Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash.
Adobe has patched Flash Player four times in the last two months, and six times so far this year.
Although most Flash vulnerabilities can also be exploited using specially crafted PDF documents -- Adobe's Reader includes "authplay.dll," a custom version of Flash that renders content within PDFs -- Adobe said the newest Flash bug doesn't impact Reader.
All but two of the 13 new bugs were pegged "critical" by Adobe, which like Apple doesn't rate flaws with a multi-label scoring system. Instead, it uses the phrase "could lead to remote code execution" to note that hackers may be able to hijack the system and plant malware on the machine by exploiting the bug.
The baker's dozen of new bugs included memory corruption vulnerabilities, buffer and heap overflow bugs, a cross-document scripting flaw, a DLL load hijacking vulnerability and one simply labeled a "security bypass" bug.
That last was a Reader X-only vulnerability that under certain circumstances lets an attacker force the Reader browser plug-in to download a non-PDF file, Adobe said in a reply to follow-up questions.
Adobe also applied at least four -- and perhaps several more -- patches to Reader X that it had declined to fix in three earlier out-of-band updates going back to March.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts