Adobe patches new Flash zero-day bug with emergency update
In-the-wild attacks target Windows' Internet Explorer, says company
Computerworld - Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.
"There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message," the Friday advisory said.
Although all editions of Flash Player contain the vulnerability and should be patched, the active exploit is targeting only users of Microsoft's Internet Explorer (IE).
Flash Player for IE is an ActiveX plug-in, the Microsoft-only standard; other browsers, including Firefox and Chrome, use a different plug-in structure.
The update was pegged with Adobe's priority rating of "1," used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.
Adobe disclosed relatively few details about the vulnerability -- its usual practice -- other than to label it an "object confusion vulnerability," note the Common Vulnerabilities & Exposures ID of CVE-2012-0779, and acknowledge that triggering the bug "could cause the application to crash and potentially allow an attacker to take control of the affected system."
It's unclear how extensive the active attacks are, although Adobe's calling them "targeted" hints at a low volume of attempts aimed at specific individuals or companies.
Today's Flash Player update was the fourth this year -- the latest before Friday was on March 28 -- putting the frequently-patched program on about the same pace as last year, when Adobe issued a total of nine Flash security updates.
In March, Adobe addressed the frequent updating pain point -- at least for Windows users -- by shipping Flash Player 11.2, which uses a silent, background update mechanism. The silent update is supposed to kick in in some situations to automatically patch the plug-in in IE, Firefox, Safari and Opera on Windows without notifying or bothering users.
At the time, Adobe said it would switch on silent updates " on a case-by-case basis," but hinted that the service would primarily be used to distribute patches for zero-day vulnerabilities, such as today's.
Friday, Adobe confirmed that it has, in fact, enabled Flash silent updates for Windows in this instance.
A Computerworld Windows 7 system, however, was not silently updated to 126.96.36.199, the patched version within an hour of booting the PC, the interval the tool uses to check for new updates. Adobe's explanation: It did not begin serving Flash Player via silent update until about 10:30 a.m. PT, after the Windows 7 machine had pinged Adobe's servers. If the silent updater receives no response from Adobe, it waits 24 hours before trying again.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts