Adobe launched an emergency out-of-band update for its Flash Player 10 on the same day it announced the latest version of its Web multimedia platform, Flash 11.
A
week after the
quarterly
patch update for Adobe Acrobat and Reader, Adobe released an emergency
update to address a zero-day vulnerability in its Flash Player.
Adobe
announced the out-of-cycle patch on Sept. 21 to fix a zero-day vulnerability
and several critical issues affecting Flash Player 10 and earlier versions for
Windows, Macintosh, Android, Linux and Solaris. One of the bugs, rated
"important," is a universal cross-site scripting issue that can be
used by remote attackers to perform Website actions on a Web page or Webmail
account on the user's behalf,
Adobe
said in its security advisory.
"I
think we can interpret this to mean that a successful attack using this
zero-day bug could allow the attacker to access the user's Gmail account,"
Andrew Storms, director of security for nCircle, told
eWEEK. A malicious campaign earlier this year took advantage of a
different zero-day in Flash that allowed perpetrators to impersonate a user on
various sites, including
Google's
Gmail and on financial Websites. Adobe patched that cross-site scripting
flaw on June 5 after Google reported the issue.
The
latest Flash Player update fixed six vulnerabilities. The critical
vulnerabilities could cause a crash and potentially allow an attacker to take
control of the affected system when a user visits a Web page seeded with
malicious Flash files, Adobe said. The issues in the Flash update have already
been addressed for Adobe Reader and Acrobat in last week's quarterly patch
update, Adobe said.
"There
are reports that one of these vulnerabilities is being exploited in the wild in
active targeted attacks designed to trick the user into clicking on a malicious
link delivered in an e-mail message," Adobe warned. It appears that Google
reported this cross-site vulnerability as well.
The
vulnerability is "not straight forward to exploit," Chester
Wisniewski, a senior security adviser at Sophos, wrote on the
Naked
Security blog.
"It's
time for all IT teams to circle the wagons and patch Flash as soon as
possible," Storms said.
Google
patched the version of Adobe Flash that is integrated in its Chrome for Windows
Web browser a day earlier, on Sept. 20. Google generally releases Chrome
updates to fix Flash issues before Adobe. Adobe develops the patch, but since
there are only a handful of configurations to test against Chrome, those
updates are ready sooner and pushed to Google while Adobe finishes testing
other browser and operating system combinations, according to Wiebke Lips,
Adobe's senior manager of corporate communications.
Since
the exploit is already in the wild, Google releasing the patch before Adobe
doesn't really make much of a difference. "It's probably easier for
attackers to get the exploit code directly instead of trying to decipher it
from Adobe's patch or even Chrome's code changes," Storms said.
The
patch was released on the same day that Adobe is touting the new 3D graphics
capabilities in Flash 11, which will be available in early October.
"Serious
stuff, and every Internet user (well, those who use Flash-so owners of iPhones
and iPads can relax) would be wise to ensure that they update their computers
as soon as possible once the patch is released," Graham Cluley, senior
technology consultant at Sophos, added on the
Naked
Security blog.
Email
Print
