Adobe Warns Of Critical Flash Flaw, Drive-By Downloads
Users are urged to update immediately to the patched 18.104.22.168 edition of the Flash player.
Adobe on Tuesday warned that multiple critical vulnerabilities in its Flashmedia player put users at risk, possibly from drive-by downloads, and urged all to update immediately to the patched 22.214.171.124 edition.
Microsoft also issued a security advisory Tuesday to tell customers of its Windows XP, Windows 98, and Windows Millennium operating systems -- all of which are bundled with a flawed edition of Flash -- to also update their players.
Security vendors quickly chimed in Wednesday. Danish vulnerability tracker Secunia, for example, labeled the threat as "highly critical," its second-highest warning rating.
Although Adobe didn't specify the bugs, nor give a total vulnerability count, its advisory indicated attackers would have to create a malformed .swf (Flash content file) and dupe a user into opening it.
"These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player," Adobe's advisory read.
Cupertino, Calif.-based Symantec was more specific in an alert to customers of its DeepSight Threat Management System. "Successful exploitation is said to allow for client-side execution of attacker-supplied code," Symantec's warning went. "There is a high probability that widespread exploitation could occur if a malicious .swf file were placed on a popular website.
"Apparently, no user-interaction is required to trigger the issue beyond browsing to a website with a Flash-enabled browser," continued Symantec.
Vulnerabilities that can be exploited against unsuspecting users who simply surf to a site are called "drive-by downloads," and have been attracting great attacker interest, especially after the wide success of a zero-day bug in Windows' processing of the Metafile (WMF) that was exploited using drive-bys in 2005 and into early 2006.
Most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, are Flash-enabled. Microsoft's advisory offered up several workarounds, including disabling the Flash ActiveX control or removing it entirely. The SANS Institute's Internet Storm Center told Firefox users that they may be able to block attacks with the popular AdBlock extension, which blocks all .swf files, though it warned "it's not necessary that the malware end in '.swf.'"
This is not the first Flash bug. The media player was patched as recently as November 2005 against a similar flaw. Two years before that, another critical vulnerability was uncovered.
For its part, Microsoft passed users to Adobe, telling customers to head to Adobe's Web site for guidance.
Microsoft was just as mum as Adobe about the problem's root causes, saying only that it knew of "recent security vulnerabilities in Flash." The Redmond, Wash.-based developer, however, discovered the bugs; Adobe thanked Microsoft for reporting the vulnerabilities.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.