Adobe to rush out Flash Player patch to thwart zero-day attacks

Summary:Another in-the-wild zero-day attack prompts an urgent Flash Player patch from Adobe.

[ UPDATE: The update is live. Here's a link with more details]

Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.

According to Adobe, the Flash Player update will address critical security issues in the product as well as an importantuniversal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.

The company is expected to fix at least 16 documented vulnerabilities, some critical enough to expose Windows and Mac users to code execution attacks via Flash files hosted on Web pages.

follow Ryan Naraine on twitter

The Adobe patch comes a day after Google shipped a Chrome update that "includes an update to Flash Player that addresses a zero-day vulnerability."

Details on the targeted zero-day attacks are not yet available but it's clear these types of attacks are happening at a very high level.

Just this week at the United Security Summit, Adobe security chief Brad Arkin said the company's main adversaries are state-sponsored actors.

From Threatpost's Dennis Fisher:

"In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries," Arkin said in his keynote speech at the United Security Summit here Tuesday. "These are the groups that have enough money to build an aircraft carrier. Those are our adversaries."

Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it's likely an entirely different set of attackers using the exploit. But it's the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

"These samples trickle downhill really quickly and show up in crime packs," Arkin said. "The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it's a very different cost."

In addition to Flash Player, Adobe's PDF Reader and Acrobat software products are among the main targets for sophisticated attacks.

Topics: Enterprise Software, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.