Adobe moved swiftly to patch the critical zero-day vulnerability in Flash Player with an emergency update five days after it warned users of malicious Word docs exploiting the flaw.
As
promised, Adobe has patched a zero-day vulnerability in Flash Player that
criminals were already exploiting with malicious Word and Excel documents.
The
new version with the fixed bug, Flash Player 10.2.159.1, was released for
Windows, Mac OS X, Linux and Solaris on April 15. This update was Adobe's
second emergency patch in less than a month.
Adobe
acknowledged the latest security flaw in Flash Player on April 11
(security
advisory CVE-2011-0611) and promised an emergency update to fix the flaw.
Until the flaw was fixed, users were encouraged to disable Flash entirely.
Google
rolled out the patch a day earlier for its Google Chrome browser through the
Web browser's
auto-update
mechanism. Adobe and Google have a code-sharing partnership, where the
Chrome team receives updated builds of Flash Player for integration and testing
as soon as they are available. Since Adobe has a longer testing cycle, testing
against more than 60 supported configurations of Windows, Mac OS X, Linux,
Solaris and Android, it usually makes its patch available later than Google, which
only has to test against Chrome, an Adobe spokesperson told eWEEK.
The
Chrome update also fixed three critical vulnerabilities that could have allowed
attackers to escape Chrome's sandbox and execute on the system.
Adobe
also issued a patch for Adobe AIR for Windows, Mac OS X and Linux.
Android
users will have to wait until the week of April 25, Adobe said. The patches for
Adobe Reader X for Macs and all Adobe Reader 9 versions and Acrobat X are
expected the same week. The Flash vulnerability exists in Reader and Acrobat
because both programs can execute Flash content embedded in PDF files. Adobe
said Reader X for Windows can trap and stop the exploit from executing because
of its sandbox technology. For this reason, Adobe Reader X for Windows will not
be updated until June.
Adobe
Reader 9 users can immediately upgrade to Adobe Reader X, downgrade to Reader
8.x as the vulnerability does not exist in that version, or not open any PDF
files at all until the fix is ready.
Although
the initial advisory warned that attackers were using malicious Word documents,
malformed Excel files were later detected exploiting the latest flaw, according
to
Mila
Parkour, the independent security researcher, who reported the bug.
Attackers had also used rogue Excel spreadsheets to exploit a different Flash
zero-day vulnerability, which Adobe had patched in March.
RSA
Security had been compromised by a phishing email with an attachment that
turned out to be a rogue Excel spreadsheet with malicious Flash code.
The
malicious attachments masqueraded as files containing information on China's
antitrust laws or a purported Japanese nuclear weapons program. Other detected
samples posed as corporate reorganization plans or company contact lists.
As
an attack, it is "obfuscated to a large degree and is also technically
interesting in nature,"
Secunia's
research team wrote on its blog.
The
attachments, when executed, downloaded malware onto the victim's computer. The
malware would communicate with a remote server, which Parkour said was
registered in China.
Email
Print
