Adobe Flash Hit with 0-Day Exploit

[nsane.forums]

Adobe has published a security advisory in response to a critical flaw found in Flash Player. The vulnerability affects Flash Player for Windows, Mac OS X, Linux, Solaris, and Android, and also impacts the authplay.dll component included in Adobe Acrobat and Adobe Reader X.

A successful exploit of the Flash vulnerability could crash the system, or allow the attacker to take complete control of the affected system. Adobe reports that the flaw is being actively exploited in the wild in targeted attacks using a malicious Flash file (SWF) embedded in a Microsoft Excel (XLS) e-mail file attachment. There are not yet any reports of attacks targeting Adobe Acrobat or Adobe Reader, and Adobe stresses that the Protected Mode sandbox in Reader X would prevent the malicious exploit from executing.

Adobe is working on a fix for the vulnerability. An update for Flash Player, Acrobat, and some versions of Reader is expected to be available sometime next week. However, because the sandbox protection in the Windows version of Adobe Reader X would protect against this flaw being exploited, Adobe does not plan to update that software until the next regular quarterly update scheduled for June 14.

The Adobe Secure Software Engineering Team (ASSET) Blog post explains, "We considered providing an out-of-cycle update for Adobe Reader X as well, which would have delayed the current patch release schedule by about another week," adding, "However, given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments."

Potential performance and/or battery drain issues aside, the persistent security concerns introduced by Adobe Flash seem to defend and reinforce Apple's decision not to support the popular format on its various iOS-based mobile devices like the iPhone and iPad.

The Motorola Xoom just finally started getting Adobe Flash functionality. However, Motorola Xoom owners anxious to install Adobe Flash support on the Android tablet might want to consider waiting for the fixed version.

View: Original Article

[nsane.forums]

Critical Flash flaw won't be fixed until next week

Adobe Systems has discovered a "critical vulnerability" in its Flash Player that might cause all kinds of trouble for users.

The company said yesterday that the flaw could cause a user's computer or mobile device to crash--and, more concerning, that the vulnerability could "potentially allow an attacker to take control of the affected system." So far, the company has discovered that the vulnerability is being exploited in Flash files, as well as through Microsoft Excel. Adobe said that the issue hasn't affected Reader or Acrobat.

The flaw affects Adobe Flash Player 10.2.152.33 and earlier versions of the platform running on every major operating system, including Windows, Macintosh, Linux, and Solaris. It's also an issue on Android devices running Flash 10.1 and earlier.

That last point is destined to spark some controversy.

Unlike Android, Apple's iOS mobile operating system has never supported Flash. Instead, iOS supports HTML5, a standard that Apple believes will eventually overtake Flash. But it goes beyond just getting behind an alternative to Flash. Apple's big issue with Adobe's offering stems from the potential security headaches.

Writing last year in an open letter on his company's Web site, Apple CEO Steve Jobs said that "Flash is the No. 1 reason Macs crash." He also cited a report from security firm Symantec, saying that it "highlighted Flash for having one of the worst security records in 2009."

"We don't want to reduce the reliability and security of our iPhones, iPods, and iPads by adding Flash," Jobs wrote.

Adobe plans to release a fix for the vulnerability sometime next week. Until then, the company warned users to "follow security best practices by keeping their anti-malware software and definitions up to date."

View: Original Article