Adobe Flash Player XSS flaw under 'active attack'

Adobe Flash Player XSS flaw under 'active attack'

Summary: Adobe ships a Flash Player patch amidst reports that a universal cross-site scripting flaw "is being exploited in the wild in active targeted attacks."

SHARE:

Ladies and gentlemen, rev up your Flash Player update engines.

Adobe has shipped a new version of the ubiquitous software to fix at least seven documented security holes affecting Windows, Mac OS X, Linux and Solaris users.

According to Adobe, these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

It also patches a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website.

Adobe has acknowledged reports that the cross-site scripting flaw "is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an e-mail message (Internet Explorer on Windows only).

[ SEE: Ten little things to secure your online presence ]

From Adobe's advisory:

follow Ryan Naraine on twitter

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

The raw details:

  • This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751).
  • This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
  • This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756).
  • This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767).

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Why not "Have you uninstalled Flash Player yet? Here are 7 new reasons..."?

    Just for the sake of consistency. Apple's iPad and iPhone excepted, of course.
    Rabid Howler Monkey
    • RE: Adobe Flash Player XSS flaw under 'active attack'

      @Rabid Howler Monkey
      LOL :D was about to type the exact same.
      MrElectrifyer
    • RE: Adobe Flash Player XSS flaw under 'active attack'

      Working towards a Flash-free web.
      ScorpioBlue
      • RE: Adobe Flash Player XSS flaw under 'active attack'

        @ScorpioBlue

        And that will be a good day indeed.
        cartman00000001
  • RE: Adobe Flash Player XSS flaw under 'active attack'

    what? no thanks cause security nightmare flash will never be installed on my machine and yes I can watch videos on youtube--HTML5 :D
    shellcodes_coder
  • Not ready to just uninstall Flash

    As much as I would like to ditch Flash. I still find way too many sites that still use it to handicap myself from the Web. My concern about these updates though is that I find that unless you shutdown or restart you PC many times the Flash player does not check for updates. I think Adobe should provide a way to check for updates more frequently. OS X is even worse as I do not believe it checks for updates more frequently then monthly.
    jscott418-22447200638980614791982928182376
  • A 0-day Flash exploit targeting Internet Explorer is in-the-wild

    The only web browser that currently sandboxes Flash Player is Google's Chrome browser on the Windows, Mac OS X and desktop Linux (Debian, Ubuntu, Fedora and openSUSE) platforms. Google's Chrome browser ships with the Flash Player plug-in and transparently keeps it updated. While a Flash Player sandbox is under active development for Mozilla's Firefox browser (Windows only), it will not be available until later this year. Flash Player is not sandboxed using Internet Explorer and, most likely, will not be any time soon.

    With advanced persistent threats (APTs) all the rage now:

    o Why on earth is anyone using Flash Player in conjunction with Internet Explorer or Firefox on the Windows platform?
    o How many Firefox users on the Windows platform use the NoScript or FlashBlock add-on to help manage the web sites (so-called trusted sites) where Flash Player is permitted to run?
    o How many IE users whitelist web sites (so-called trusted sites) where Flash Player is permitted to run?
    o How many IE and Firefox users on the Windows platform use a 3rd party sandbox to contain the web browser and plug-ins like Flash Player and Java?

    With regard to Mac OS X, desktop Linux and Solaris, while the Flash Player vulnerabilities are present, the miscreants are not currently targeting these platforms as their market share is still low (even Mac OS X at 7%).
    Rabid Howler Monkey
  • RE: Adobe Flash Player XSS flaw under 'active attack'

    neighbor's step-sister made $15111 the previous month. she is making income on the computer and got a 468000 dollar house. All she did was get lucky and set to work the directions revealed on this web page NuttyRich.c o m
    pansyneal
  • so who benefits

    from flash? where does the money go, the information?
    Conversely, who benefits from flash being detubed, ruined?

    find that out and you will be very much the wiser...

    ps: why do we still have to use addins to browsers to make them 'safe'?

    why do MS Google Opera Firefox all make the same mistakes all the time...
    why does DNS remain borken?
    why?
    how come billy and stevey and rupy and others never get hacked?

    COME ON GUYS! ARE YOU JOURNALISTS OR STOOGES?
    walkerjian