Adobe Patches Flash Zero Day

Wednesday, April 20, 2011 @ 10:04 PM gHale


Adobe patched a zero-day vulnerability in Flash Player criminals were already exploiting with malicious Word and Excel documents.

The new version with the fixed bug, Flash Player 10.2.159.1, released for Windows, Mac OS X, Linux and Solaris on April 15. This update was Adobe’s second emergency patch in less than a month.

Adobe acknowledged the latest security flaw in Flash Player April 11 and promised an emergency update to fix the flaw. Until the patch, the company encouraged users to disable Flash entirely.

Google rolled out the patch a day earlier for its Google Chrome browser through the Web browser’s auto-update mechanism. Adobe and Google have a code-sharing partnership, where the Chrome team receives updated builds of Flash Player for integration and testing as soon as they are available. Since Adobe has a longer testing cycle, testing against more than 60 supported configurations of Windows, Mac OS X, Linux, Solaris and Android, it usually makes its patch available later than Google, which only has to test against Chrome, an Adobe spokesperson said.

The Chrome update also fixed three vulnerabilities that would allow attackers to escape Chrome’s sandbox and execute on the system.

Adobe also issued a patch for Adobe AIR for Windows, Mac OS X and Linux.

Android users will have to wait until the week of April 25, Adobe said. The patches for Adobe Reader X for Macs and all Adobe Reader 9 versions and Acrobat X should come out the same week. The Flash vulnerability exists in Reader and Acrobat because both programs can execute Flash content embedded in PDF files. Adobe said Reader X for Windows can trap and stop the exploit from executing because of its sandbox technology. For this reason, Adobe Reader X for Windows will not get an update until June.

Adobe Reader 9 users can immediately upgrade to Adobe Reader X, downgrade to Reader 8.x as the vulnerability does not exist in that version, or not open any PDF files at all until the fix is ready.

Although the initial advisory warned attackers were using malicious Word documents, malformed Excel files also exploited the latest flaw, according to Mila Parkour, the independent security researcher, who reported the bug. Attackers had also used rogue Excel spreadsheets to exploit a different Flash zero-day vulnerability, which Adobe had patched in March.

A phishing email compromised RSA Security with an attachment that turned out to be a rogue Excel spreadsheet with malicious Flash code.

The malicious attachments masqueraded as files containing information on China’s antitrust laws or a purported Japanese nuclear weapons program. Other detected samples posed as corporate reorganization plans or company contact lists.



Leave a Reply

You must be logged in to post a comment.