Attackers exploit latest Flash bug on large scale, says researcher
Adobe blames Flash's popularity for hacker interest, attacks
Computerworld - Hackers are aggressively exploiting a just-patched Flash vulnerability, serving attack code "on a fairly large scale" from compromised sites as well as from their own malicious domains, a security researcher said Friday.
The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second "out-of-band," or emergency update, in nine days.
"CVE-2011-2110 is being exploited in the wild on a fairly large scale," said Steven Adair, a researcher with the Shadowserver Foundation, a volunteer-run group that tracks vulnerabilities and botnets. "In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs [non-government organizations], aerospace companies, a Korean news site, an Indian government Web site, and a Taiwanese university."
CVE-2011-2110 is the identifier for the Flash vulnerability assigned by the Common Vulnerabilities and Exposures database.
Attackers are also using the exploit in "spear phishing" attacks aimed at specific individuals, said Adair on the Shadowserver site.
Adair called the attacks "nasty" because the exploit "happens seamlessly in the background," giving victims no clue that their systems have been compromised.
When Adobe patched the vulnerability last week, it conceded that exploits were already in use.
Adair also said there's been an increase in Flash-based attacks. "There has been an ongoing assault against Flash Player for several years now, but especially so in the last three months," Adair said.
Adobe has patched Flash Player four times in the last two months, and six times so far this year. Of the six updates, five addressed "zero-day" bugs that attackers were already exploiting at the time the patches were issued.
Brad Arkin, Adobe's director of product security and privacy, acknowledged the problems in keeping ahead of attackers, but blamed the popularity of Flash Player for the attention.
"The installed base [of Flash Player] is a real big part of it," said Arkin. "It's such a widely distributed technology that attackers find it worthwhile to invest the time to carry out some kind of malicious activity. They're making an investment for the biggest return possible."
Arkin also argued that attackers get more bang for their buck by rooting out Flash vulnerabilities than they do looking for bugs in individual browsers because virtually every personal computer has the Flash plug-in installed. "Flash is the code [used in the browser] that has the highest market penetration," he said.
According to Adair, the exploit of CVE-2011-2110 has been in use since June 9, five days before Adobe issued its latest security update. Arkin corroborated that timeline.
Although Adobe's working on boosting Flash's security -- it's collaborated with Google, for example, to sandbox Flash in Chrome -- for now, its best defense is to quickly react to exploits with a patch.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts