As promised, Adobe has patched a zero-day vulnerability in Flash Player that criminals were already exploiting with malicious Word and Excel documents.
The new version with the fixed bug, Flash Player 10.2.159.1, was released for Windows, Mac OS X, Linux and Solaris on April 15. This update was Adobe’s second emergency patch in less than a month.
Adobe acknowledged the latest security flaw in Flash Player on April 11 (security advisory CVE-2011-0611) and promised an emergency update to fix the flaw. Until the flaw was fixed, users were encouraged to disable Flash entirely.
Google rolled out the patch a day earlier for its Google Chrome browser through the Web browser’s auto-update mechanism. Adobe and Google have a code-sharing partnership, where the Chrome team receives updated builds of Flash Player for integration and testing as soon as they are available. Since Adobe has a longer testing cycle, testing against more than 60 supported configurations of Windows, Mac OS X, Linux, Solaris and Android, it usually makes its patch available later than Google, which only has to test against Chrome, an Adobe spokesperson told eWEEK.
The Chrome update also fixed three critical vulnerabilities that could have allowed attackers to escape Chrome’s sandbox and execute on the system.
Adobe also issued a patch for Adobe AIR for Windows, Mac OS X and Linux.
Android users will have to wait until the week of April 25, Adobe said. The patches for Adobe Reader X for Macs and all Adobe Reader 9 versions and Acrobat X are expected the same week. The Flash vulnerability exists in Reader and Acrobat because both programs can execute Flash content embedded in PDF files. Adobe said Reader X for Windows can trap and stop the exploit from executing because of its sandbox technology. For this reason, Adobe Reader X for Windows will not be updated until June.
Adobe Reader 9 users can immediately upgrade to Adobe Reader X, downgrade to Reader 8.x as the vulnerability does not exist in that version, or not open any PDF files at all until the fix is ready.
Although the initial advisory warned that attackers were using malicious Word documents, malformed Excel files were later detected exploiting the latest flaw, according to Mila Parkour, the independent security researcher, who reported the bug. Attackers had also used rogue Excel spreadsheets to exploit a different Flash zero-day vulnerability, which Adobe had patched in March.
RSA Security had been compromised by a phishing email with an attachment that turned out to be a rogue Excel spreadsheet with malicious Flash code.
The malicious attachments masqueraded as files containing information on China’s antitrust laws or a purported Japanese nuclear weapons program. Other detected samples posed as corporate reorganization plans or company contact lists.
As an attack, it is “obfuscated to a large degree and is also technically interesting in nature,” Secunia’s research team wrote on its blog.
The attachments, when executed, downloaded malware onto the victim’s computer. The malware would communicate with a remote server, which Parkour said was registered in China.