Adobe issues Flash Player update, fixes Adobe XSS zero-day flaw

An Adobe Systems security update fixed seven critical flaws in Flash Player, including a cross-site scripting vulnerability being actively targeted by attackers.

Adobe Systems Inc. issued a high-priority security update for its ubiquitous Flash Player software, repairing seven critical vulnerabilities, including a cross-site scripting (XSS) flaw that is being actively targeted in phishing attacks against Internet Explorer users.

There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Adobe Systems Inc.

The Adobe XSS flaw affects the Flash Player browser plug-in component and all browsers, but ongoing phishing attacks appear to be affecting IE users. It can be used “to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website,” Adobe said in a security bulletin issued Wednesday.

“There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only),” Adobe said.

XSS is a common technique used by attackers and is included in a variety of automated exploit toolkits. An XSS flaw enables an attacker to use malicious JavaScript to trick a browser component into giving up sensitive information. It can be used in the first stage of an attack and then can give the hacker the ability to exploit other flaws or upload additional malware onto a victim’s machine. Experts say XSS coding errors are among the most common and unfortunately the most difficult to prevent attackers from exploiting.

The six other flaws include a variety of memory corruption and security bypass errors. “These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

The update affects users of Adobe Flash Player on Windows, Macintosh, Linux and Solaris systems, as well as Flash Player for Google Android devices.

Adobe has been slowly building protections around its Flash Player plug-in. The company has sandboxing features for Google Chrome users. Last week, Adobe issued a beta version of Flash Player sandbox for Firefox users. Sandboxing makes it more difficult for attackers to break out of Flash Player and gain access to other critical systems and components on a victim’s machine.

Shockwave Player update
The Flash Player update is the second security bulletin issued by Adobe this week. On Tuesday, the software maker issued an update to its Shockwave Player, repairing eight vulnerabilities. The update affects users of Shockwave Player 11.6.3.633 and earlier versions on Windows and Macintosh machines.

Adobe said the critical update repairs a variety of memory corruption vulnerabilities and a heap overflow flaw that could lead to remote code execution. “These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system,” Adobe said.

“While not quite as popular as Adobe Flash, it has a large installed base and has seen its share of use in Web-based attacks,” said Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc.

Dig deeper on Security vulnerability management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchStorage.com.au

SearchCIO.com.au

SearchFinancialSecurity

SearchMidmarketSecurity

SearchSecurityChannel

Close