Adobe Warns Of Critical Flash Flaw, Drive-By Downloads
Users are urged to update immediately to the patched 22.214.171.124 edition of the Flash player.
Adobe on Tuesday warned that multiple critical vulnerabilities in its Flashmedia player put users at risk, possibly from drive-by downloads, and urged all to update immediately to the patched 126.96.36.199 edition.
Microsoft also issued a security advisory Tuesday to tell customers of its Windows XP, Windows 98, and Windows Millennium operating systems -- all of which are bundled with a flawed edition of Flash -- to also update their players.
Security vendors quickly chimed in Wednesday. Danish vulnerability tracker Secunia, for example, labeled the threat as "highly critical," its second-highest warning rating.
Although Adobe didn't specify the bugs, nor give a total vulnerability count, its advisory indicated attackers would have to create a malformed .swf (Flash content file) and dupe a user into opening it.
"These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player," Adobe's advisory read.
Cupertino, Calif.-based Symantec was more specific in an alert to customers of its DeepSight Threat Management System. "Successful exploitation is said to allow for client-side execution of attacker-supplied code," Symantec's warning went. "There is a high probability that widespread exploitation could occur if a malicious .swf file were placed on a popular website.
"Apparently, no user-interaction is required to trigger the issue beyond browsing to a website with a Flash-enabled browser," continued Symantec.
Vulnerabilities that can be exploited against unsuspecting users who simply surf to a site are called "drive-by downloads," and have been attracting great attacker interest, especially after the wide success of a zero-day bug in Windows' processing of the Metafile (WMF) that was exploited using drive-bys in 2005 and into early 2006.
Most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, are Flash-enabled. Microsoft's advisory offered up several workarounds, including disabling the Flash ActiveX control or removing it entirely. The SANS Institute's Internet Storm Center told Firefox users that they may be able to block attacks with the popular AdBlock extension, which blocks all .swf files, though it warned "it's not necessary that the malware end in '.swf.'"
This is not the first Flash bug. The media player was patched as recently as November 2005 against a similar flaw. Two years before that, another critical vulnerability was uncovered.
For its part, Microsoft passed users to Adobe, telling customers to head to Adobe's Web site for guidance.
Microsoft was just as mum as Adobe about the problem's root causes, saying only that it knew of "recent security vulnerabilities in Flash." The Redmond, Wash.-based developer, however, discovered the bugs; Adobe thanked Microsoft for reporting the vulnerabilities.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.