Vulnerabilities / Threats
3/17/2011
02:05 PM
50%
50%

Google Patches Chrome Zero-Day Flash Vulnerability

The release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame makes the browser the first software to be protected against the Flash vulnerability now being actively exploited.

Google Chrome 9 Advances The 3D Graphical Web
(click image for larger view)
Slideshow: Google Chrome 9 Advances The 3D Graphical Web
Google, with its Tuesday release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame, became the first company to patch its software against a zero-day Flash vulnerability. "This release contains an updated version of the Adobe Flash player," said Google's Jason Kersey in a blog post.

According to Adobe, the vulnerability is being actively exploited by attackers, using Shockwave files placed in Microsoft Excel spreadsheets. "Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Brad Arkin, Adobe's senior director for product security and privacy, in a blog post.

In other words, don't panic. "The attack doesn't seem to be in the wild, and the exploit files I've heard of seem to rely on a sequence of already known and already detectable malicious operations, so there is no cause for alarm," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "But do look out for the Flash patches when Adobe publish them next week."

Google's Chrome update makes it the first browser developer -- besting Microsoft, Mozilla, and Apple -- to patch the bug. Then again, the other companies are still waiting for Adobe's Flash Player update, which won't be released until next week. Adobe, however, regularly shares Flash updates more quickly with Google.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

Timing-wise, it might seem odd that an Adobe business partner has patched one of its products against the zero-day vulnerability before Adobe patches its own products. But the issue is one of scale, since Adobe plans to simultaneously release fixes for all affected products, including Flash Player, Acrobat, and Reader. "Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris, and Android -- more than 60 platforms/configurations altogether -- to ensure the fix works across all supported configurations," said Lips. "This process is currently underway and will be completed by next week."

In the meantime, beware of fake updates or product scams, said Sophos's Ducklin. In particular, Sophos has seen a new variation on the old fake AV scam, only for PDF files. In this case, attackers are offering a 30% discount on Adobe Acrobat X Reader -- notably, not affected by the Flash bug -- as well as a free gift.

Needless to say, it's all a scam. "Guess what? The free gift software you're being offered is OpenOffice," said Ducklin. "It really is free."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1235
Published: 2015-04-19
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

CVE-2015-1236
Published: 2015-04-19
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a cr...

CVE-2015-1237
Published: 2015-04-19
Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages ...

CVE-2015-1238
Published: 2015-04-19
Skia, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.

CVE-2015-1240
Published: 2015-04-19
gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.