Adobe released its scheduled update for Flash Player and fixed a cross-site scripting vulnerability that was being exploited in the wild.
The list of
security updates IT administrators have to stay on top of this month just got a
little longer as Oracle and Adobe released new patches fixing a slew of
security vulnerabilities in their products.
a security update addressing seven critical vulnerabilities in its Flash Player software
on Feb. 15, a day after it
updated critical vulnerabilities in Shockwave Player. The latest Flash update
addressed critical vulnerabilities in Adobe Flash Player 184.108.40.206 and
earlier versions for Windows, Macintosh, Linux and Solaris. The update also
affects Flash Player 220.127.116.11 and earlier versions for Android 4.x and
version 18.104.22.168 and earlier for Android 3.x and 2.x.
Flash release is part of Adobe's scheduled quarterly update, one of the bugs
fixed was added in at the last minute, according to an Adobe spokesperson.
last-minute bug, CVE-2012-0767, was a universal cross-site scripting
vulnerability that could be used to take actions on a user's behalf on any
Website or Webmail provider if the user visits a malicious site. This
vulnerability was already being exploited in the wild in targeted attacks
against Internet Explorer users on Windows systems, according to Adobe.
being tricked into clicking on a malicious link delivered in an email message
as part of a targeted attack, according to Adobe. Google is credited for
reporting this vulnerability in the acknowledgements section of the security
unable to reproduce the exploit targeting the cross-site scripting
vulnerability against the Flash component that ships with Adobe Reader and
Acrobat 9.x and later, according to the advisory. In the past, critical
vulnerabilities that were first exploited in Flash were later exploited in
Reader and Acrobat. That doesn't appear to be the case with the current
The rest of
the update addressed four memory corruption vulnerabilities and two security
bypass vulnerabilities that could lead to code execution. If exploited, an
attacker could potentially be able to take control of the affected system.
However, Adobe is not aware of any exploits in the wild targeting these issues.
It sure would
have been nice if Adobe bundled all their patches together," said Andrew
Storms, director of security operations at nCircle, noting that IT
administrators have to rethink their patching strategies to include the latest
updates with what had already been released.
Shockwave Player update was released hours before Microsoft's February Patch
Tuesday release. Shortly after that, Oracle released its scheduled update for
Java. In the latest security release, Oracle fixed at least 14 security
vulnerabilities in the Java Runtime Environment. The new versions are Java 6
update 31 and Java 7 update 3.
vulnerabilities in Java 6 were rated critical and have a Common Vulnerability
Scoring System above 9, according to Wolfgang Kandek, CTO of Qualys. These
flaws can be exploited through the network without authentication and are
capable of providing remote control to the attacker, Kandek said.
the threat posed by a successful attack, Oracle strongly recommends that
customers apply fixes as soon as possible," Oracle said in its email
developers frequently write exploits targeting Java because it is so
ubiquitous, according to Kandek. Oracle estimates Java is installed on more
than 3 billion machines worldwide.
Adobe products are also frequently attacked. Part of the
problem with the latest exploits is that products are not being updated
promptly, the company warned.
majority of attacks we are seeing are exploiting software installations that
are not up-to-date on the latest security updates," the company wrote.
It would have
also been nice if Adobe could have included some workarounds for the
vulnerability while patches are rolled out, Storms said.