ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Adobe Flash Player XSS flaw under 'active attack'

By | February 15, 2012, 5:13pm PST

Summary: Adobe ships a Flash Player patch amidst reports that a universal cross-site scripting flaw “is being exploited in the wild in active targeted attacks.”

Ladies and gentlemen, rev up your Flash Player update engines.

Adobe has shipped a new version of the ubiquitous software to fix at least seven documented security holes affecting Windows, Mac OS X, Linux and Solaris users.

According to Adobe, these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

It also patches a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.

Adobe has acknowledged reports that the cross-site scripting flaw “is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an e-mail message (Internet Explorer on Windows only).

[ SEE: Ten little things to secure your online presence ]

From Adobe’s advisory:

follow Ryan Naraine on twitter

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

The raw details:

  • This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751).
  • This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
  • This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756).
  • This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767).

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Security Hole, Patch Management, Macromedia Flash Player, Patches, Security, Viruses And Worms, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
9
Comments
Add Your Opinion

Join the conversation!

Just In

so who benefits
walkerjian@... 17th Feb
from flash? where does the money go, the information?
Conversely, who benefits from flash being detubed, ruined?

find that out and you will be very much the wiser...

ps: why do we still have to use addins to browsers to make them 'safe'?

why do MS Google Opera Firefox all make the same mistakes all the time...
why does DNS remain borken?
why?
how come billy and stevey and rupy and others never get hacked?

COME ON GUYS! ARE YOU JOURNALISTS OR STOOGES?
View in thread
0 Votes
+ -
Why not "Have you uninstalled Flash Player yet? Here are 7 new reasons..."?
Rabid Howler Monkey Updated - 15th Feb
Just for the sake of consistency. Apple's iPad and iPhone excepted, of course.
0 Votes
+ -
RE: Adobe Flash Player XSS flaw under 'active attack'
MrElectrifyer 15th Feb
@Rabid Howler Monkey
LOL grin was about to type the exact same.
0 Votes
+ -
RE: Adobe Flash Player XSS flaw under 'active attack'
ScorpioBlue 16th Feb
Working towards a Flash-free web.
0 Votes
+ -
RE: Adobe Flash Player XSS flaw under 'active attack'
cartman00000001 17th Feb
@ScorpioBlue

And that will be a good day indeed.
0 Votes
+ -
RE: Adobe Flash Player XSS flaw under 'active attack'
shellcodes_coder 16th Feb
what? no thanks cause security nightmare flash will never be installed on my machine and yes I can watch videos on youtube--HTML5 grin
0 Votes
+ -
Not ready to just uninstall Flash
jscott418 Updated - 16th Feb
As much as I would like to ditch Flash. I still find way too many sites that still use it to handicap myself from the Web. My concern about these updates though is that I find that unless you shutdown or restart you PC many times the Flash player does not check for updates. I think Adobe should provide a way to check for updates more frequently. OS X is even worse as I do not believe it checks for updates more frequently then monthly.
0 Votes
+ -
A 0-day Flash exploit targeting Internet Explorer is in-the-wild
Rabid Howler Monkey 16th Feb
The only web browser that currently sandboxes Flash Player is Google's Chrome browser on the Windows, Mac OS X and desktop Linux (Debian, Ubuntu, Fedora and openSUSE) platforms. Google's Chrome browser ships with the Flash Player plug-in and transparently keeps it updated. While a Flash Player sandbox is under active development for Mozilla's Firefox browser (Windows only), it will not be available until later this year. Flash Player is not sandboxed using Internet Explorer and, most likely, will not be any time soon.

With advanced persistent threats (APTs) all the rage now:

o Why on earth is anyone using Flash Player in conjunction with Internet Explorer or Firefox on the Windows platform?
o How many Firefox users on the Windows platform use the NoScript or FlashBlock add-on to help manage the web sites (so-called trusted sites) where Flash Player is permitted to run?
o How many IE users whitelist web sites (so-called trusted sites) where Flash Player is permitted to run?
o How many IE and Firefox users on the Windows platform use a 3rd party sandbox to contain the web browser and plug-ins like Flash Player and Java?

With regard to Mac OS X, desktop Linux and Solaris, while the Flash Player vulnerabilities are present, the miscreants are not currently targeting these platforms as their market share is still low (even Mac OS X at 7%).
0 Votes
+ -
RE: Adobe Flash Player XSS flaw under 'active attack'
pansyneal 17th Feb
neighbor's step-sister made $15111 the previous month. she is making income on the computer and got a 468000 dollar house. All she did was get lucky and set to work the directions revealed on this web page NuttyRich.c o m
0 Votes
+ -
so who benefits
walkerjian@... 17th Feb
from flash? where does the money go, the information?
Conversely, who benefits from flash being detubed, ruined?

find that out and you will be very much the wiser...

ps: why do we still have to use addins to browsers to make them 'safe'?

why do MS Google Opera Firefox all make the same mistakes all the time...
why does DNS remain borken?
why?
how come billy and stevey and rupy and others never get hacked?

COME ON GUYS! ARE YOU JOURNALISTS OR STOOGES?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix