Vulnerabilities / Threats
3/17/2011
02:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Patches Chrome Zero-Day Flash Vulnerability

The release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame makes the browser the first software to be protected against the Flash vulnerability now being actively exploited.

Google Chrome 9 Advances The 3D Graphical Web
(click image for larger view)
Slideshow: Google Chrome 9 Advances The 3D Graphical Web
Google, with its Tuesday release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame, became the first company to patch its software against a zero-day Flash vulnerability. "This release contains an updated version of the Adobe Flash player," said Google's Jason Kersey in a blog post.

According to Adobe, the vulnerability is being actively exploited by attackers, using Shockwave files placed in Microsoft Excel spreadsheets. "Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Brad Arkin, Adobe's senior director for product security and privacy, in a blog post.

In other words, don't panic. "The attack doesn't seem to be in the wild, and the exploit files I've heard of seem to rely on a sequence of already known and already detectable malicious operations, so there is no cause for alarm," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "But do look out for the Flash patches when Adobe publish them next week."

Google's Chrome update makes it the first browser developer -- besting Microsoft, Mozilla, and Apple -- to patch the bug. Then again, the other companies are still waiting for Adobe's Flash Player update, which won't be released until next week. Adobe, however, regularly shares Flash updates more quickly with Google.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

Timing-wise, it might seem odd that an Adobe business partner has patched one of its products against the zero-day vulnerability before Adobe patches its own products. But the issue is one of scale, since Adobe plans to simultaneously release fixes for all affected products, including Flash Player, Acrobat, and Reader. "Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris, and Android -- more than 60 platforms/configurations altogether -- to ensure the fix works across all supported configurations," said Lips. "This process is currently underway and will be completed by next week."

In the meantime, beware of fake updates or product scams, said Sophos's Ducklin. In particular, Sophos has seen a new variation on the old fake AV scam, only for PDF files. In this case, attackers are offering a 30% discount on Adobe Acrobat X Reader -- notably, not affected by the Flash bug -- as well as a free gift.

Needless to say, it's all a scam. "Guess what? The free gift software you're being offered is OpenOffice," said Ducklin. "It really is free."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.