Adobe Warns Of Active Flash Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Adobe Warns Of Active Flash Attack


The critical, zero-day vulnerability affects most recent versions of Flash, Reader, and Acrobat, although apparently not Reader X on Windows.



(click image for larger view)
Slideshow: 10 Massive Security Breaches
Attackers are currently exploiting a zero-day vulnerability in Adobe Flash Player. Adobe said that attackers can exploit the bug to crash or take control of a system. All versions of Flash 10.x for Windows, Macintosh, Linux, Solaris, and Android are vulnerable.
According to Adobes
security advisory
, issued on Monday, there are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. Since Flash Player is also built into Adobe Reader and Acrobat, both these products are also at risk. To date, however, this vulnerability apparently hasnt been exploited using those products.
Some user action is required for the attack to succeed. The target must open a malicious XLS file for a vulnerability in Flash to be exploited, said Kaspersky Lab security researcher Roel Schouwenberg, in a
blog post
. He has confirmed that the vulnerability can be exploited on Windows XP systems. While the attack thats currently in the wild doesnt appear to work on Windows 7 systems, he warned that attackers could easily adapt it to do so, using
return-oriented programming
techniques.
No patch yet exists for the vulnerability, though Adobe plans to release a fix for some products during the week of March 21. That update will patch Flash Player 10.x (and earlier versions) for Windows, Macintosh, Linux, Solaris, and Android, as well as Reader X on Macintosh and Reader 9.4.2 (and earlier) on Windows.
Interestingly, Adobe isnt planning to patch Adobe Reader X until June 14, 2011, which is the currently scheduled date for its next quarterly patch release. Thats because the softwares protected mode -- aka
sandbox
-- should prevent this exploit from being able to execute,
Adobe said
.
But as news of the vulnerability surfaced, some security researchers have asked why anyone would ever need to run a Shockwave file from an Excel spreadsheet. This is a clear example of too much functionality in a product leading to security problems, said Kasperskys Schouwenberg. As such, it would be great if Microsoft would allow us to turn off these excess features. Or, alternatively, Adobe could disallow such integration to reduce the attack surface.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Adobe Warns Of Active Flash Attack