Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Zero-day Flash bug patched by Adobe in emergency update

In-the-wild attacks target Internet Explorer, says company

Article comments

Adobe has warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

"There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message," last week's advisory said.

Although all editions of Flash Player contain the vulnerability and should be patched, the active exploit is targeting only users of Microsoft's Internet Explorer (IE).

Flash Player for IE is an ActiveX plug-in, the Microsoft-only standard; other browsers, including Firefox and Chrome, use a different plug-in structure.

The update was pegged with Adobe's priority rating of "1," used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

Adobe disclosed relatively few details about the vulnerability - its usual practice - other than to label it an "object confusion vulnerability," note the Common Vulnerabilities & Exposures ID of CVE-2012-0779, and acknowledge that triggering the bug "could cause the application to crash and potentially allow an attacker to take control of the affected system."

It's unclear how extensive the active attacks are, although Adobe's calling them "targeted" hints at a low volume of attempts aimed at specific individuals or companies.

Today's Flash Player update was the fourth this year - the latest before Friday was on March 28 - putting the frequently-patched program on about the same pace as last year, when Adobe issued a total of nine Flash security updates.

In March, Adobe addressed the frequent updating pain point - at least for Windows users - by shipping Flash Player 11.2, which uses a silent, background update mechanism. The silent update is supposed to kick in in some situations to automatically patch the plug-in in IE, Firefox, Safari and Opera on Windows without notifying or bothering users.

At the time, Adobe said it would switch on silent updates " on a case-by-case basis," but hinted that the service would primarily be used to distribute patches for zero-day vulnerabilities, such as today's.

Adobe confirmed that it has, in fact, enabled Flash silent updates for Windows in this instance.

The current stable version of Chrome - Google's browser is the only one that includes the Adobe software in its updates - reports running the patched 11.2.202.235 edition of Flash Player. Google shipped that version of Chrome, 18.0.1025.168, on April 30, giving it a four-day jump on Adobe's plug-in patching.

It was Chrome's largest-ever lead: previously, Google has beaten Adobe to Flash Player patching by hours, or at most a day.

Adobe again explained Chrome's faster Flash patching by noting that it hands Flash updates to Google as "soon as we updated the code," but needs more time on its part to test fixes on scores of operating system and browser combinations before it's confident enough to ship the update to all users.

Microsoft's vulnerability research group reported the Flash vulnerability to Adobe.

The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe's website. Windows users can wait for the silent updater to kick in, run Flash's update tool or wait for the software to prompt them that a new version is available.

Android users are now able to download the new version from Google Play, formerly the Android Market.

To determine which version of Flash Player is running in any particular browser, users can steer to this Adobe page.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *