Vulnerabilities / Threats
3/17/2011
02:05 PM
50%
50%

Google Patches Chrome Zero-Day Flash Vulnerability

The release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame makes the browser the first software to be protected against the Flash vulnerability now being actively exploited.

Google Chrome 9 Advances The 3D Graphical Web
(click image for larger view)
Slideshow: Google Chrome 9 Advances The 3D Graphical Web
Google, with its Tuesday release of Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame, became the first company to patch its software against a zero-day Flash vulnerability. "This release contains an updated version of the Adobe Flash player," said Google's Jason Kersey in a blog post.

According to Adobe, the vulnerability is being actively exploited by attackers, using Shockwave files placed in Microsoft Excel spreadsheets. "Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Brad Arkin, Adobe's senior director for product security and privacy, in a blog post.

In other words, don't panic. "The attack doesn't seem to be in the wild, and the exploit files I've heard of seem to rely on a sequence of already known and already detectable malicious operations, so there is no cause for alarm," said Paul Ducklin, the Asia-Pacific head of technology for Sophos, in a blog post. "But do look out for the Flash patches when Adobe publish them next week."

Google's Chrome update makes it the first browser developer -- besting Microsoft, Mozilla, and Apple -- to patch the bug. Then again, the other companies are still waiting for Adobe's Flash Player update, which won't be released until next week. Adobe, however, regularly shares Flash updates more quickly with Google.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

Timing-wise, it might seem odd that an Adobe business partner has patched one of its products against the zero-day vulnerability before Adobe patches its own products. But the issue is one of scale, since Adobe plans to simultaneously release fixes for all affected products, including Flash Player, Acrobat, and Reader. "Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris, and Android -- more than 60 platforms/configurations altogether -- to ensure the fix works across all supported configurations," said Lips. "This process is currently underway and will be completed by next week."

In the meantime, beware of fake updates or product scams, said Sophos's Ducklin. In particular, Sophos has seen a new variation on the old fake AV scam, only for PDF files. In this case, attackers are offering a 30% discount on Adobe Acrobat X Reader -- notably, not affected by the Flash bug -- as well as a free gift.

Needless to say, it's all a scam. "Guess what? The free gift software you're being offered is OpenOffice," said Ducklin. "It really is free."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.