Flash Patch, Take Three: Adobe Issues New FixWith attackers actively targeting zero-day flaws in Flash Reader, Adobe has released its third emergency Flash update this month.
Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
For the third time this month, Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users' systems.
According to Adobe's security bulletin, "these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."
Adobe's update patches a bug in the Flash sandbox (CVE-2013-0643), a bug in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vulnerability (CVE-2013-0504). The latter two bugs can be exploited by attackers to execute arbitrary code on systems.
According to Adobe, the first two vulnerabilities are being actively exploited in an attack directed at Firefox users that's "designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." That content then allows an attacker to take control of the system.
[ Questions about the latest Java bugs? Here are some answers. Java Security Warnings: Cut Through The Confusion. ]
The combined Windows and OS X vulnerabilities have been given a priority rating of "1" by Adobe, meaning they pose a high level of risk and should be patched within 72 hours. The Linux vulnerabilities, meanwhile, have only received a severity rating of "3," meaning that the bugs haven't historically been targeted by attackers, leading Adobe to recommend that "administrators install the update at their discretion."
The latest, fixed versions of the affected products are Adobe Flash Player 11.6.602.171 for Windows and OS X, and Adobe Flash Player 188.8.131.523 for Linux. Users of Google Chrome and Internet Explorer 10 for Windows 8 should see the version of Flash Player running in those browsers automatically update to the latest version, although no other browsers on their system will receive the update.
As of Wednesday morning, however, Wolfgang Kandek, CTO of Qualys, said via email that while IE10 appeared to receive the Flash update Tuesday, no update has yet been pushed by Google for Chrome.
Unsure which version of Flash your PC is running? "To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu," says Adobe's security bulletin. "If you use multiple browsers, perform the check for each browser you have installed on your system."
As noted, users of Adobe Flash Player on Windows and OS X should update immediately, because beyond the in-the-wild attacks, attackers tend to quickly reverse-engineer and target any other bugs that have been fixed by a vendor. For example, crimeware toolkit vendors took just two weeks -- at most -- to add into their software an exploit for one of the recent, critical Java bugs, according to the French security researcher who goes by the name "Kafeine."
Security researcher Eric Romang, notably, discovered that the Cool Exploit Kit crimeware package has included an exploit for the Java bug since at least Feb. 15. Cool Exploit Kit, which rents for $10,000 per month, is maintained by the creator of the Blackhole crimeware toolkit, which is designed for stealing people's personal financial information.
According to security researcher Chris Wakelin, the newly exploited Java bug appears to be the same as the "issue 52" (CVE-2013-0431) vulnerability discovered by Poland-based research firm Security Explorations and reported to Oracle, which confirmed the bug and said it will be fixed in a future security update.
Meanwhile, an exploit for the same Java bug was added Monday to the Metasploit open source vulnerability testing toolkit.
Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!