"There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," said Wiebke Lips, senior manager for corporate communications at Adobe, via email. "This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website."
Adobe's Wednesday update will patch critical vulnerabilities in Adobe Flash Player (version 10.3.183.7 and earlier) on Windows, Macintosh, Linux, and Solaris, as well as Adobe Flash Player (version 10.3.186.6 and earlier) for Android. An Adobe security bulletin, to be released Wednesday, will have more details about the bugs, as well as a link to patches.
Lips said that some of the vulnerabilities to be fixed in Flash Player were already addressed for Adobe Reader and Acrobat in the security update Adobe released earlier this month. Furthermore, she said, the authplay.dll component that provides Flash functionality for Reader and Acrobat 10.1 (and earlier) and 9.x versions isn't susceptible to the zero-day bug that's being actively exploited by attackers.
[Do you have an effective cyber attack response plan? See 7 Lessons: Surviving A Zero-Day Attack.]
On Tuesday, the latest version of Google Chrome (14.0.835.186 for Windows, Mac, Linux, and Chrome Frame), which contains a fix for the zero-day vulnerability, was automatically distributed to users via Chrome's auto-updating mechanism. That continues Adobe's usual practice of releasing Flash fixes early to Google, which integrates and tests the patches with Chrome. Adobe does the same with the roughly 60 other combinations of platforms and configurations for which Flash Player is available, which typically takes a day or two longer than Google's process.
Security experts recommend applying the Flash patch as soon as it becomes available. "Serious stuff, and every Internet user (well, those who use Flash--so owners of iPhones and iPads can relax) would be wise to ensure that they update their computers as soon as possible once the patch is released," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
In other vulnerability news, Cisco on Tuesday disclosed that the database used by Cisco Identity Services Engine contains default credentials that can't be altered. "A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device," according to Cisco's security bulletin.
There are no ways to mitigate this vulnerability, which scores a "10" (most critical) on the 10-point CVSS vulnerability scale. Cisco plans to push a free update on September 30 that will patch the bug.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)