Risk
2/27/2013
11:11 AM
50%
50%

Flash Patch, Take Three: Adobe Issues New Fix

With attackers actively targeting zero-day flaws in Flash Reader, Adobe has released its third emergency Flash update this month.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
For the third time this month, Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users' systems.

According to Adobe's security bulletin, "these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe's update patches a bug in the Flash sandbox (CVE-2013-0643), a bug in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vulnerability (CVE-2013-0504). The latter two bugs can be exploited by attackers to execute arbitrary code on systems.

According to Adobe, the first two vulnerabilities are being actively exploited in an attack directed at Firefox users that's "designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." That content then allows an attacker to take control of the system.

[ Questions about the latest Java bugs? Here are some answers. Java Security Warnings: Cut Through The Confusion. ]

The combined Windows and OS X vulnerabilities have been given a priority rating of "1" by Adobe, meaning they pose a high level of risk and should be patched within 72 hours. The Linux vulnerabilities, meanwhile, have only received a severity rating of "3," meaning that the bugs haven't historically been targeted by attackers, leading Adobe to recommend that "administrators install the update at their discretion."

The latest, fixed versions of the affected products are Adobe Flash Player 11.6.602.171 for Windows and OS X, and Adobe Flash Player 11.2.202.273 for Linux. Users of Google Chrome and Internet Explorer 10 for Windows 8 should see the version of Flash Player running in those browsers automatically update to the latest version, although no other browsers on their system will receive the update.

As of Wednesday morning, however, Wolfgang Kandek, CTO of Qualys, said via email that while IE10 appeared to receive the Flash update Tuesday, no update has yet been pushed by Google for Chrome.

Unsure which version of Flash your PC is running? "To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu," says Adobe's security bulletin. "If you use multiple browsers, perform the check for each browser you have installed on your system."

As noted, users of Adobe Flash Player on Windows and OS X should update immediately, because beyond the in-the-wild attacks, attackers tend to quickly reverse-engineer and target any other bugs that have been fixed by a vendor. For example, crimeware toolkit vendors took just two weeks -- at most -- to add into their software an exploit for one of the recent, critical Java bugs, according to the French security researcher who goes by the name "Kafeine."

Security researcher Eric Romang, notably, discovered that the Cool Exploit Kit crimeware package has included an exploit for the Java bug since at least Feb. 15. Cool Exploit Kit, which rents for $10,000 per month, is maintained by the creator of the Blackhole crimeware toolkit, which is designed for stealing people's personal financial information.

According to security researcher Chris Wakelin, the newly exploited Java bug appears to be the same as the "issue 52" (CVE-2013-0431) vulnerability discovered by Poland-based research firm Security Explorations and reported to Oracle, which confirmed the bug and said it will be fixed in a future security update.

Meanwhile, an exploit for the same Java bug was added Monday to the Metasploit open source vulnerability testing toolkit.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gyrostu
50%
50%
gyrostu,
User Rank: Apprentice
3/1/2013 | 8:46:25 PM
re: Flash Patch, Take Three: Adobe Issues New Fix
So next time you are frustrated that you cannot view Flash on your iOS device be glad Apple rejected the reliance on a third party technology integration.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!