Risk
2/27/2013
11:11 AM
50%
50%

Flash Patch, Take Three: Adobe Issues New Fix

With attackers actively targeting zero-day flaws in Flash Reader, Adobe has released its third emergency Flash update this month.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
For the third time this month, Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users' systems.

According to Adobe's security bulletin, "these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe's update patches a bug in the Flash sandbox (CVE-2013-0643), a bug in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vulnerability (CVE-2013-0504). The latter two bugs can be exploited by attackers to execute arbitrary code on systems.

According to Adobe, the first two vulnerabilities are being actively exploited in an attack directed at Firefox users that's "designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." That content then allows an attacker to take control of the system.

[ Questions about the latest Java bugs? Here are some answers. Java Security Warnings: Cut Through The Confusion. ]

The combined Windows and OS X vulnerabilities have been given a priority rating of "1" by Adobe, meaning they pose a high level of risk and should be patched within 72 hours. The Linux vulnerabilities, meanwhile, have only received a severity rating of "3," meaning that the bugs haven't historically been targeted by attackers, leading Adobe to recommend that "administrators install the update at their discretion."

The latest, fixed versions of the affected products are Adobe Flash Player 11.6.602.171 for Windows and OS X, and Adobe Flash Player 11.2.202.273 for Linux. Users of Google Chrome and Internet Explorer 10 for Windows 8 should see the version of Flash Player running in those browsers automatically update to the latest version, although no other browsers on their system will receive the update.

As of Wednesday morning, however, Wolfgang Kandek, CTO of Qualys, said via email that while IE10 appeared to receive the Flash update Tuesday, no update has yet been pushed by Google for Chrome.

Unsure which version of Flash your PC is running? "To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu," says Adobe's security bulletin. "If you use multiple browsers, perform the check for each browser you have installed on your system."

As noted, users of Adobe Flash Player on Windows and OS X should update immediately, because beyond the in-the-wild attacks, attackers tend to quickly reverse-engineer and target any other bugs that have been fixed by a vendor. For example, crimeware toolkit vendors took just two weeks -- at most -- to add into their software an exploit for one of the recent, critical Java bugs, according to the French security researcher who goes by the name "Kafeine."

Security researcher Eric Romang, notably, discovered that the Cool Exploit Kit crimeware package has included an exploit for the Java bug since at least Feb. 15. Cool Exploit Kit, which rents for $10,000 per month, is maintained by the creator of the Blackhole crimeware toolkit, which is designed for stealing people's personal financial information.

According to security researcher Chris Wakelin, the newly exploited Java bug appears to be the same as the "issue 52" (CVE-2013-0431) vulnerability discovered by Poland-based research firm Security Explorations and reported to Oracle, which confirmed the bug and said it will be fixed in a future security update.

Meanwhile, an exploit for the same Java bug was added Monday to the Metasploit open source vulnerability testing toolkit.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gyrostu
50%
50%
gyrostu,
User Rank: Apprentice
3/1/2013 | 8:46:25 PM
re: Flash Patch, Take Three: Adobe Issues New Fix
So next time you are frustrated that you cannot view Flash on your iOS device be glad Apple rejected the reliance on a third party technology integration.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.