Vulnerabilities / Threats
3/17/2011
02:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Patches Chrome Zero-Day Flash Vulnerability

The release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame makes the browser the first software to be protected against the Flash vulnerability now being actively exploited.

Google Chrome 9 Advances The 3D Graphical Web
(click image for larger view)
Slideshow: Google Chrome 9 Advances The 3D Graphical Web
Google, with its Tuesday release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame, became the first company to patch its software against a zero-day Flash vulnerability. "This release contains an updated version of the Adobe Flash player," said Google's Jason Kersey in a blog post.

According to Adobe, the vulnerability is being actively exploited by attackers, using Shockwave files placed in Microsoft Excel spreadsheets. "Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Brad Arkin, Adobe's senior director for product security and privacy, in a blog post.

In other words, don't panic. "The attack doesn't seem to be in the wild, and the exploit files I've heard of seem to rely on a sequence of already known and already detectable malicious operations, so there is no cause for alarm," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "But do look out for the Flash patches when Adobe publish them next week."

Google's Chrome update makes it the first browser developer -- besting Microsoft, Mozilla, and Apple -- to patch the bug. Then again, the other companies are still waiting for Adobe's Flash Player update, which won't be released until next week. Adobe, however, regularly shares Flash updates more quickly with Google.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

Timing-wise, it might seem odd that an Adobe business partner has patched one of its products against the zero-day vulnerability before Adobe patches its own products. But the issue is one of scale, since Adobe plans to simultaneously release fixes for all affected products, including Flash Player, Acrobat, and Reader. "Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris, and Android -- more than 60 platforms/configurations altogether -- to ensure the fix works across all supported configurations," said Lips. "This process is currently underway and will be completed by next week."

In the meantime, beware of fake updates or product scams, said Sophos's Ducklin. In particular, Sophos has seen a new variation on the old fake AV scam, only for PDF files. In this case, attackers are offering a 30% discount on Adobe Acrobat X Reader -- notably, not affected by the Flash bug -- as well as a free gift.

Needless to say, it's all a scam. "Guess what? The free gift software you're being offered is OpenOffice," said Ducklin. "It really is free."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.