There's another zero-day security risk in Adobe's Flash. The new vulnerability comes a few weeks after the announcement of a previous one -- which was followed by updated versions of the popular multimedia software -- and in Adobe Reader and Acrobat.
In an advisory posted Monday on its security blog, the company said the vulnerability could cause a crash and, possibly, allow an attacker to take control of a system. The advisory also noted that there are reports the vulnerability is being exploited using a .swf Flash file embedded in a Microsoft Word file and delivered as an attachment to Windows users. Adobe added that it's not aware of any attacks using PDFs that target Reader or Acrobat.
Used in 'Spear Phishing'
The critical vulnerability exists in Flash Player 10.2.153.1, as well as earlier versions for Windows, Mac, Linux and Solaris; Flash Player 10.2.154.25 and earlier for Chrome users; Flash Player 10.2.156.12 and earlier for Android; and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Mac operating systems.
Adobe said it's in the process of finalizing an update schedule for Flash Player 10.2.x and earlier versions for Windows, Mac, Linux, Solaris and Android; Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Mac; Reader X (10.0.2) for Mac; and Reader 9.4.3 and earlier 9.x versions for Windows and Mac.
The company added that, because Reader X Protected Mode prevents the exploit from executing, the issue for Reader X for Windows will be addressed in the next quarterly security update for Reader, presently scheduled for the middle of June.
According to some security researchers, the Flash-based attacks are featured in some of the recent spear-phishing campaigns against major organizations, including marketing house Epsilon and security firm RSA. The attacks reportedly utilized Flash embedded inside Microsoft documents disguised as government documents.
Flash Threat Predicted
Spear-phishing refers to e-mails that purport to be from a trusted company or organization that are looking to obtain confidential information and targeted toward specific users.
In its 2010 Threat Predictions report released -- ironically -- as a PDF in late 2009, security firm Symantec predicted that, in 2010, "Adobe software, especially Acrobat Reader and Flash," would take the top spot as a target of cybercriminals, replacing Microsoft products such as Windows and Internet Explorer.
The report noted that Flash and Acrobat Reader have become a favorite among attackers, who use "reliable 'heap spray-like' and other exploitation techniques." Adobe has been successful in making Flash and Adobe Reader virtually ubiquitous on every computer platform, and has touted this huge cross-platform installed base as a strength.
But Symantec noted that this wide deployment also makes Flash and Adobe Reader increasingly attractive to attackers, because they "provide a higher return on investment to cybercriminals."
No comments:
Post a Comment