Adobe to rush out Flash Player patch to thwart zero-day attacks

Adobe to rush out Flash Player patch to thwart zero-day attacks

Summary: Another in-the-wild zero-day attack prompts an urgent Flash Player patch from Adobe.

SHARE:

[ UPDATE: The update is live. Here's a link with more details]

Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.

According to Adobe, the Flash Player update will address critical security issues in the product as well as an importantuniversal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.

The company is expected to fix at least 16 documented vulnerabilities, some critical enough to expose Windows and Mac users to code execution attacks via Flash files hosted on Web pages.

follow Ryan Naraine on twitter

The Adobe patch comes a day after Google shipped a Chrome update that "includes an update to Flash Player that addresses a zero-day vulnerability."

Details on the targeted zero-day attacks are not yet available but it's clear these types of attacks are happening at a very high level.

Just this week at the United Security Summit, Adobe security chief Brad Arkin said the company's main adversaries are state-sponsored actors.

From Threatpost's Dennis Fisher:

"In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries," Arkin said in his keynote speech at the United Security Summit here Tuesday. "These are the groups that have enough money to build an aircraft carrier. Those are our adversaries."

Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it's likely an entirely different set of attackers using the exploit. But it's the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

"These samples trickle downhill really quickly and show up in crime packs," Arkin said. "The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it's a very different cost."

In addition to Flash Player, Adobe's PDF Reader and Acrobat software products are among the main targets for sophisticated attacks.

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • this is on windoze only folks

    Linux is safe. No worry.
    The Linux Geek
    • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

      @The Linux Geek

      You're not living in the universe where that's true. Maybe the next lifetime for you.

      Dude with LINUX at home,
      -M
      betelgeuse68
    • Adobe has just updated the (32 bit) Flash plugin for Linux too.

      @The Linux Geek
      An update to the Flash plugin from the Adobe RPM repository has just hit my Fedora 15 box, so I would guess that <i>all</i> versions are vulnerable. It would be really foolish of you to ignore this...

      Distressingly, there's no sign of an update for the 64 bit plugin yet, though.

      UPDATE:
      And if you actually read Adobe's announcement:
      <i>"Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system."</i>
      Zogg
    • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

      @The Linux Geek

      Your love of Linux is like having a P3N1S... It's great that you have it, are happy with it, and proud of it, but waving it around to show everyone makes you a jerk.

      Please stop.

      I am not a M$ Windoze fanboi either, but enough is enough. You have become that guy that nobody likes having around. I'll bet even Linux people are becoming embarrassed by you.
      mlashinsky
    • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

      Yeah but the rest of the world is using windows. This flash update has been a big issue for these zero day attacks. The 2 most recent attacks are both being distributed by FAKE flash updates. Here are the sites and names of the infections <a href="http://www.spywarehelpcenter.com/how-to-remove-data-recovery-virus-removal/" target="_blank">data recovery virus</a> and <a href="http://www.spywarehelpcenter.com/how-to-remove-opencloud-security-virus-removal/" target="_blank">open cloud virus</a> . Because adobe updates flash frequently its an easy target for these hackers to trick the not so savvy PC users.
      reviewsgirl
  • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

    The article states this applies to windows and macs.
    SuperComputerGuru
    • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

      @SuperComputerGuru <br><br>No, a blog post from Naraine's blog doesn't usurp what Adobe says (but he did mention the Mac):<br><br>"Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system."<br><br>As a rule of thumb, Flash flaws tend to be cross platform. But since LINUX has like 1% (not even) of desktops, bloggers don't tend to bother mentioning it.
      betelgeuse68
  • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

    Just another reason why I grudgingly have to admit that Steve Jobs was right for banning flash from iOS. I am sick and tired of having to patch Flash all the time. There are more holes in it than a block of Swiss Cheese.
    Zzznorch
  • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

    What's the longest period Adobe has gone this past year between Flash updates? 2 weeks? 4 days?
    JustCallMeBC
  • Flash may have security holes per Apple's former CEO

    But check out Quicktime and iTunes on www.secunia.com's site for a great read on security holes. There is plenty of insecurity to go around. Granted, Flash keeps us quite busy in IT, but we banned Apple software.
    jahat
  • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

    Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks////////////////.this is 9/23....where's this so called new patch???
    varick
  • RE: Adobe to rush out Flash Player patch to thwart zero-day attacks

    Flash is the biggest PITA! It is constantly updating, and is still constantly vulnerable! I think it is time to get rid if it and live without it.

    Adobe is trying to be like M$, but the only features it is copying correctly are being bloated and vulnerable to attack!
    mlashinsky