Adobe Patches Zero-Day XSS Flaw, Six Other Bugs in Flash Player

The list of security updates IT administrators have to stay on top of this month just got a little longer as Oracle and Adobe released new patches fixing a slew of security vulnerabilities in their products.

Adobe released a security update addressing seven critical vulnerabilities in its Flash Player software on Feb. 15, a day after it updated critical vulnerabilities in Shockwave Player. The latest Flash update addressed critical vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris. The update also affects Flash Player 11.1.112.61 and earlier versions for Android 4.x and version 11.1.111.5 and earlier for Android 3.x and 2.x.

While this Flash release is part of Adobe’s scheduled quarterly update, one of the bugs fixed was added in at the last minute, according to an Adobe spokesperson.

The last-minute bug, CVE-2012-0767, was a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any Website or Webmail provider if the user visits a malicious site. This vulnerability was already being exploited in the wild in targeted attacks against Internet Explorer users on Windows systems, according to Adobe.

Users were being tricked into clicking on a malicious link delivered in an email message as part of a targeted attack, according to Adobe. Google is credited for reporting this vulnerability in the acknowledgements section of the security advisory.

Adobe was unable to reproduce the exploit targeting the cross-site scripting vulnerability against the Flash component that ships with Adobe Reader and Acrobat 9.x and later, according to the advisory. In the past, critical vulnerabilities that were first exploited in Flash were later exploited in Reader and Acrobat. That doesn’t appear to be the case with the current exploit.

The rest of the update addressed four memory corruption vulnerabilities and two security bypass vulnerabilities that could lead to code execution. If exploited, an attacker could potentially be able to take control of the affected system. However, Adobe is not aware of any exploits in the wild targeting these issues.

€œIt sure would have been nice if Adobe bundled all their patches together,” said Andrew Storms, director of security operations at nCircle, noting that IT administrators have to rethink their patching strategies to include the latest updates with what had already been released.

Adobe’s Shockwave Player update was released hours before Microsoft’s February Patch Tuesday release. Shortly after that, Oracle released its scheduled update for Java. In the latest security release, Oracle fixed at least 14 security vulnerabilities in the Java Runtime Environment. The new versions are Java 6 update 31 and Java 7 update 3.

Five vulnerabilities in Java 6 were rated critical and have a Common Vulnerability Scoring System above 9, according to Wolfgang Kandek, CTO of Qualys. These flaws can be exploited through the network without authentication and are capable of providing remote control to the attacker, Kandek said.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” Oracle said in its email advisory.

Malware developers frequently write exploits targeting Java because it is so ubiquitous, according to Kandek. Oracle estimates Java is installed on more than 3 billion machines worldwide.

Adobe products are also frequently attacked. Part of the problem with the latest exploits is that products are not being updated promptly, the company warned.

“The majority of attacks we are seeing are exploiting software installations that are not up-to-date on the latest security updates,” the company wrote.

It would have also been nice if Adobe could have included some workarounds for the vulnerability while patches are rolled out, Storms said.