Attacks/Breaches
4/12/2011
11:45 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Adobe Flash Attacks Exploit Zero-Day Vulnerability

No patch is yet available against threat targeting government workers that uses malicious Flash inserted into Microsoft Word documents.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
Adobe on Monday released a security advisory warning that Adobe Flash Player, Adobe Reader, and Adobe Acrobat are susceptible to a zero-day vulnerability that's being actively exploited.

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform," said Adobe. "At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat."

A successful exploit would allow the attacker to crash or take over the targeted system.

Vulnerable software includes Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems; Flash Player 10.2.154.25 and earlier for Chrome users; and Adobe Flash Player 10.2.156.12 and earlier for Android. In addition, the Authplay.dll component--included with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh--is also vulnerable.

But Adobe said that protected mode in Adobe Reader X would prevent this type of exploit from being able to execute. In addition, these products aren't affected: Reader 9.x for Unix, Reader for Android, and 8.x versions of Reader and Acrobat.

Attackers are exploiting the vulnerability via spear-phishing campaigns against U.S. government workers and contractors, according to security reporter Brian Krebs.

No patch is available yet for Flash, Reader, or Acrobat, though Adobe said it is "in the process of finalizing a schedule for delivering updates." Since Adobe Reader X would block the attack, Adobe said it won't get patched until the next regularly scheduled quarterly security update, planned for June 14.

The new vulnerability announcement comes three weeks after Adobe released an emergency patch to safeguard its products against similar exploits. As that suggests, when it comes to vulnerabilities, attackers have largely shifted their focus from operating systems and browsers to browser plug-ins--and especially Flash.

But businesses are having a difficult time coping with the non-stop "patch or perish" cycle that results from the seemingly endless stream of new vulnerabilities. According to the forthcoming May 2011 InformationWeek Analytics Strategic Security Survey of business technology and security professionals, from 2010 to 2011 the number of organizations that rated their patch management processes "very effective" dropped from 27% to 22%.

Furthermore, according to VirusTotal, a service that analyzes antivirus software effectiveness, as of Saturday, only one out of 42 antivirus products was detecting as malicious a file--"Disentangling Industrial Policy and Competition Policy.doc"--being used in the attack. By Tuesday, however, 15% of the 42 antivirus software applications were detecting it.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web