[ UPDATE: The update is live. Here's a link with more details. ]
Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.
According to Adobe, the Flash Player update will address critical security issues in the product as well as an importantuniversal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.
The company is expected to fix at least 16 documented vulnerabilities, some critical enough to expose Windows and Mac users to code execution attacks via Flash files hosted on Web pages.
The Adobe patch comes a day after Google shipped a Chrome update that “includes an update to Flash Player that addresses a zero-day vulnerability.”
Details on the targeted zero-day attacks are not yet available but it’s clear these types of attacks are happening at a very high level.
Just this week at the United Security Summit, Adobe security chief Brad Arkin said the company’s main adversaries are state-sponsored actors.
From Threatpost’s Dennis Fisher:
“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in his keynote speech at the United Security Summit here Tuesday. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”
Arkin said that when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.
From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.
“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it’s a very different cost.”
In addition to Flash Player, Adobe’s PDF Reader and Acrobat software products are among the main targets for sophisticated attacks.
