Adobe confirms new zero-day Flash bug
Patches Google-reported XSS flaw hackers now exploiting in targeted attacks
Computerworld - Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).
"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update. "There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."
The attack only works against IE.
Adobe said the other six vulnerabilities, all rated critical like the XSS bug, were memory corruption flaws or security bypass bugs that "could cause a crash and potentially allow an attacker to take control of the affected system."
Google was credited with notifying Adobe of the XSS vulnerability, but Adobe did not note when Google filed the bug report or how long attackers have been exploiting the bug.
To patch the vulnerabilities, Adobe updated Flash Player 11 and Flash Player 10 on Windows, Mac OS X, Linux and Solaris, and Flash Player on Android.
Also on Wednesday, Google updated Chrome to offer the newly-patched Flash to its users. Google has packaged Flash Player with Chrome since April 2010, and remains the only browser that contains its own copy of Flash Player.
Last week, Adobe confirmed that its next target for a "sandboxed" Flash Player would be the plug-in for Internet Explorer. But Adobe confirmed that even if the defense had been in place, the active attacks exploiting the just-patched XSS vulnerability would still have succeeded.
"The universal [XSS] vulnerability breaks the same-origin security model in the browser and allows the attacker to 'make clicks' on behalf of the user in a way that is normally not allowed," said Adobe spokeswoman Wiebke Lips in an email reply to questions. "All of this activity occurs within the browser context, so running the browser in a low-rights sandbox would not change the behavior of the attack. Even if we had a rock-solid sandbox in place for Flash Player on Internet Explorer, this vulnerability could have been exploited the same way."
Adobe finished a sandboxed Flash for Chrome in 2010, and has just launched a beta of sandboxed Flash for Mozilla's Firefox on Windows Vista and Windows 7.
Wednesday's Flash update was the first this year for the media player, but the software has required aggressive patching: In 2011, Adobe fixed Flash flaws nine different times.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts