Risk
2/27/2013
11:11 AM
50%
50%

Flash Patch, Take Three: Adobe Issues New Fix

With attackers actively targeting zero-day flaws in Flash Reader, Adobe has released its third emergency Flash update this month.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
For the third time this month, Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users' systems.

According to Adobe's security bulletin, "these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe's update patches a bug in the Flash sandbox (CVE-2013-0643), a bug in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vulnerability (CVE-2013-0504). The latter two bugs can be exploited by attackers to execute arbitrary code on systems.

According to Adobe, the first two vulnerabilities are being actively exploited in an attack directed at Firefox users that's "designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." That content then allows an attacker to take control of the system.

[ Questions about the latest Java bugs? Here are some answers. Java Security Warnings: Cut Through The Confusion. ]

The combined Windows and OS X vulnerabilities have been given a priority rating of "1" by Adobe, meaning they pose a high level of risk and should be patched within 72 hours. The Linux vulnerabilities, meanwhile, have only received a severity rating of "3," meaning that the bugs haven't historically been targeted by attackers, leading Adobe to recommend that "administrators install the update at their discretion."

The latest, fixed versions of the affected products are Adobe Flash Player 11.6.602.171 for Windows and OS X, and Adobe Flash Player 11.2.202.273 for Linux. Users of Google Chrome and Internet Explorer 10 for Windows 8 should see the version of Flash Player running in those browsers automatically update to the latest version, although no other browsers on their system will receive the update.

As of Wednesday morning, however, Wolfgang Kandek, CTO of Qualys, said via email that while IE10 appeared to receive the Flash update Tuesday, no update has yet been pushed by Google for Chrome.

Unsure which version of Flash your PC is running? "To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu," says Adobe's security bulletin. "If you use multiple browsers, perform the check for each browser you have installed on your system."

As noted, users of Adobe Flash Player on Windows and OS X should update immediately, because beyond the in-the-wild attacks, attackers tend to quickly reverse-engineer and target any other bugs that have been fixed by a vendor. For example, crimeware toolkit vendors took just two weeks -- at most -- to add into their software an exploit for one of the recent, critical Java bugs, according to the French security researcher who goes by the name "Kafeine."

Security researcher Eric Romang, notably, discovered that the Cool Exploit Kit crimeware package has included an exploit for the Java bug since at least Feb. 15. Cool Exploit Kit, which rents for $10,000 per month, is maintained by the creator of the Blackhole crimeware toolkit, which is designed for stealing people's personal financial information.

According to security researcher Chris Wakelin, the newly exploited Java bug appears to be the same as the "issue 52" (CVE-2013-0431) vulnerability discovered by Poland-based research firm Security Explorations and reported to Oracle, which confirmed the bug and said it will be fixed in a future security update.

Meanwhile, an exploit for the same Java bug was added Monday to the Metasploit open source vulnerability testing toolkit.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gyrostu
50%
50%
gyrostu,
User Rank: Apprentice
3/1/2013 | 8:46:25 PM
re: Flash Patch, Take Three: Adobe Issues New Fix
So next time you are frustrated that you cannot view Flash on your iOS device be glad Apple rejected the reliance on a third party technology integration.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.