Risk
2/27/2013
11:11 AM
Connect Directly
RSS
E-Mail
50%
50%

Flash Patch, Take Three: Adobe Issues New Fix

With attackers actively targeting zero-day flaws in Flash Reader, Adobe has released its third emergency Flash update this month.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
For the third time this month, Adobe has released an emergency update for Flash Player. The latest update, issued Tuesday, fixes three bugs, two of which are being actively targeted via zero-day attacks that can compromise users' systems.

According to Adobe's security bulletin, "these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe's update patches a bug in the Flash sandbox (CVE-2013-0643), a bug in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vulnerability (CVE-2013-0504). The latter two bugs can be exploited by attackers to execute arbitrary code on systems.

According to Adobe, the first two vulnerabilities are being actively exploited in an attack directed at Firefox users that's "designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." That content then allows an attacker to take control of the system.

[ Questions about the latest Java bugs? Here are some answers. Java Security Warnings: Cut Through The Confusion. ]

The combined Windows and OS X vulnerabilities have been given a priority rating of "1" by Adobe, meaning they pose a high level of risk and should be patched within 72 hours. The Linux vulnerabilities, meanwhile, have only received a severity rating of "3," meaning that the bugs haven't historically been targeted by attackers, leading Adobe to recommend that "administrators install the update at their discretion."

The latest, fixed versions of the affected products are Adobe Flash Player 11.6.602.171 for Windows and OS X, and Adobe Flash Player 11.2.202.273 for Linux. Users of Google Chrome and Internet Explorer 10 for Windows 8 should see the version of Flash Player running in those browsers automatically update to the latest version, although no other browsers on their system will receive the update.

As of Wednesday morning, however, Wolfgang Kandek, CTO of Qualys, said via email that while IE10 appeared to receive the Flash update Tuesday, no update has yet been pushed by Google for Chrome.

Unsure which version of Flash your PC is running? "To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select 'About Adobe (or Macromedia) Flash Player' from the menu," says Adobe's security bulletin. "If you use multiple browsers, perform the check for each browser you have installed on your system."

As noted, users of Adobe Flash Player on Windows and OS X should update immediately, because beyond the in-the-wild attacks, attackers tend to quickly reverse-engineer and target any other bugs that have been fixed by a vendor. For example, crimeware toolkit vendors took just two weeks -- at most -- to add into their software an exploit for one of the recent, critical Java bugs, according to the French security researcher who goes by the name "Kafeine."

Security researcher Eric Romang, notably, discovered that the Cool Exploit Kit crimeware package has included an exploit for the Java bug since at least Feb. 15. Cool Exploit Kit, which rents for $10,000 per month, is maintained by the creator of the Blackhole crimeware toolkit, which is designed for stealing people's personal financial information.

According to security researcher Chris Wakelin, the newly exploited Java bug appears to be the same as the "issue 52" (CVE-2013-0431) vulnerability discovered by Poland-based research firm Security Explorations and reported to Oracle, which confirmed the bug and said it will be fixed in a future security update.

Meanwhile, an exploit for the same Java bug was added Monday to the Metasploit open source vulnerability testing toolkit.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gyrostu
50%
50%
gyrostu,
User Rank: Apprentice
3/1/2013 | 8:46:25 PM
re: Flash Patch, Take Three: Adobe Issues New Fix
So next time you are frustrated that you cannot view Flash on your iOS device be glad Apple rejected the reliance on a third party technology integration.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.