Adobe patches second Flash zero-day in 9 days

Hackers exploiting bug, company confirms as it also updates Reader, ShockWave and ColdFusion

For the second time in nine days, Adobe on Tuesday patched a critical vulnerability in Flash Player that hackers were already exploiting.

Adobe also updated its popular Reader PDF viewer to quash 13 new bugs and several older ones the company had not gotten around to fixing.

The memory corruption vulnerability in Flash Player was pegged "critical" by Adobe, which said that the bug could "potentially allow an attacker to take control of the affected system" in an accompanying advisory . "There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages," the advisory added.

Adobe last issued an emergency update -- dubbed "out-of-band" -- on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials.

Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals , including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists, with messages that tried to trick them into entering their username and password on a fake Gmail login screen.

Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash.

Adobe has patched Flash Player four times in the last two months, and six times so far this year.

Although most Flash vulnerabilities can also be exploited using specially crafted PDF documents -- Adobe's Reader includes "authplay.dll," a custom version of Flash that renders content within PDFs -- Adobe said the newest Flash bug doesn't impact Reader.

Alongside the Flash security update, Adobe also fixed 13 new vulnerabilities in Reader. The newest version, Reader X, received at least 17 patches.

All but two of the 13 new bugs were pegged "critical" by Adobe, which like Apple doesn't rate flaws with a multi-label scoring system. Instead, it uses the phrase "could lead to remote code execution" to note that hackers may be able to hijack the system and plant malware on the machine by exploiting the bug.

The baker's dozen of new bugs included memory corruption vulnerabilities, buffer and heap overflow bugs, a cross-document scripting flaw, a DLL load hijacking vulnerability and one simply labeled a "security bypass" bug.

That last was a Reader X-only vulnerability that under certain circumstances lets an attacker force the Reader browser plug-in to download a non-PDF file, Adobe said in a reply to follow-up questions.

Adobe also applied at least four -- and perhaps several more -- patches to Reader X that it had declined to fix in three earlier out-of-band updates going back to March .

Although the company had patched older editions in those updates, it had not fixed Reader X, saying each time that because the program's "sandbox" prevented malware from affecting the computer, it would instead wait for Tuesday's already-scheduled quarterly update.

Reader X , which Adobe rolled out last November, includes anti-exploit sandbox technology designed to isolate the program from the rest of the system. Theoretically, the sandbox insures that malware which does launch inside Reader X can't escape to infect the PC or Mac.

According to Adobe, none of the Reader vulnerabilities patched Tuesday have been exploited in the wild.

At the same time it shipped the Flash Player and Reader security refreshes, Adobe also patched 24 vulnerabilities in Shockwave Player, two in LifeCycle Data Services and Blaze DS -- a live streaming service and data push service, respectively -- and two in ColdFusion, an Adobe development platform.

The patched versions of Reader and Flash Player can be downloaded from Adobe's Web site. Alternately, users can run the programs' integrated update tool or wait for the software to prompt them that a new version is available.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon