15 September 2010 | 8,656 views

Critical Zero Day Abobe Flash Flaw Puts Android Phones At Risk

Acunetix Web Application Security

Adobe hasn’t been having the best of luck recently with a string of serious PDF exploits in their Reader software and now in less than a week two critical flaws in Flash.

This is a pretty serious flaw and sadly proves Steve Jobs right for not supporting Flash on the iPhone and Ipad. A new twist is that this vulnerability extends to mobile platforms such as Android due to the full support for flash. It also effects desktop systems across the board (Windows, Mac, Linux & Solaris).

Adobe revealed a critical zero day flaw in Adobe Flash–the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.

An Adobe spokesperson contacted me and shared that, “A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.”

In a nutshell, the critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.

The Adobe spokesperson explained, “Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.”

There are reports of this vulnerability being exploited in the wild, but I haven’t really seen any details of it so far. It’s an interesting point regarding smart-phones and I wonder how Android developers might look at addressing this kind of issue and safeguarding the phones in the future.

A sandbox method might be a good idea, and from what I know of Android you don’t have root privileges by default anyway. We’ll have to see if Android makes any announcements regarding this or comes out with any kind of plan for future safeguards.

Those best practices are long established among the traditional desktop computing platforms, but users running Adobe Flash on Android smartphones may be left wondering exactly which “best practices” will protect them. Smartphones have grown into palm-based portable computers–with processing power and storage space significant enough to be a worthy target–but smartphone security is not as evolved as its desktop and notebook counterparts.

As Microsoft has improved its software development processes and implemented new security controls in the Windows operating system and other applications, attackers have looked elsewhere to find the chinks in the armor. Adobe has emerged as the virtually ubiquitous low-hanging fruit–with security practices that are not as mature as Microsoft’s, and software with potentially exploitable weaknesses available on pretty much every platform out there.

The iPhone and iPad stand uniquely apart from other smartphone and tablet platforms thanks to Apple’s very public rejection of Adobe Flash for iOS. While the real reasons probably have more to do with iAd and wanting to exert tighter control over the developer community, security is also a concern that has been cited. Zero day flaws like this one, which potentially impact Android smartphones running Adobe Flash, seem to illustrate the wisdom of that choice.

You can read the security advisory from Adobe here – Security Advisory for Flash Player, the fix has not been issued as yet but they do state they are working on it so expect a flash update soon.

It’ll be interesting to see what comes of this and how fast Adobe can push a patch out.

Source: Network World





                

Recent in Exploits/Vulnerabilities:
- Heartbleed Bug SSL Vulnerability – Everything You Need To Know
- Oracle Java Cloud Service Vulnerabilities Publicly Disclosed
- ODA – Online Web Based Disassembler

Related Posts:
- Researcher Releases Android Exploit In Webkit Browser Engine
- Android Malware App Covertly Makes Purchases On China Mobile Market
- Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 225,311 views
- AJAX: Is your application secure enough? - 118,948 views
- eEye Launches 0-Day Exploit Tracker - 84,996 views

Low-cost VPS Hosting

8 Responses to “Critical Zero Day Abobe Flash Flaw Puts Android Phones At Risk”

  1. Foo 16 September 2010 at 1:00 pm Permalink

    “This is a pretty serious flaw and sadly proves Steve Jobs right for not supporting Flash on the iPhone and Ipad.”

    Are you kidding me? With that type of logic I guess they shouldn’t provide a web browser or PDF viewer since the iPhone has been exploited by bugs in these apps several times.

  2. NNM 16 September 2010 at 1:05 pm Permalink

    People always scuffed and laughed at me when I told them: “No, sorry, I can’t view that: it’s flash and I don’t want that virus on my computer.”
    or “Pdf? Foxit Reader. Adobe only makes viruses.”
    or “No Adobe shit on my computer.”
    Maybe it’s time to ban/boycott ANYTHING Adobe makes.

  3. troger 16 September 2010 at 9:19 pm Permalink

    I will have to say that personally I use Adobe products and most people in the computer world use Adobe in some shape form or fashion. I will say it has its advantages but it is a program written by people and there is not any software out there that is not flawed in some way. The only reason hackers attack such programs and exploit there flaws is because they are used by so many people.THE ONLY REASON that mac. has not been attack as much as microsoft is because of the number of people that run Windows verses mac. What company runs mac. based software that is not music, photo, or video based. I promise you if you look at the numbers Microsoft has more computers and users than Mac ever will!!!!!!

  4. nopsled 17 September 2010 at 1:08 am Permalink

    I’ve said it before and I will say it again but I think the time is nearing for Adobe to do a ground up rewrite ;)

  5. reallango 19 September 2010 at 3:19 am Permalink

    I just made the switch from iPhone to an android EVO and this news does not make me regret it at all. The open aspects of android far outweigh the extra risk for me. Apple’s decision not to include flash in ios had more to do with locking the customer into using there software then in security concerns. Everything on the iPhone is already sanboxed so the worst it should have been able to do is cause you to force close the program or restart the phone. Please don’t give apple credit for making bad decisions just because of a few security concerns. It does not make there reasoning any less of a lie.

    P.S. I loved my iPhone untill I waited forever for completed apps to never make it to the market because they went against things apple may do later or disagreed with for stupid reasons.

  6. whatwhere 20 September 2010 at 9:58 pm Permalink

    “Hasn’t been having the best of luck recently”? What’s luck to do with it? They designed software and data formats like they were purpose built for this kind of issue, and then implemented them badly enough they exceed expectations. Bad luck for us, though.

    • Darknet 21 September 2010 at 6:02 am Permalink

      The luck isn’t to do with the flaws being there, that’s just sloppy coding. It’s bad luck that they got discovered.

  7. NNM 21 September 2010 at 6:16 am Permalink

    You have to ask why it’s so sloppy coding and why it’s such an easy target. It’s partly because adobe fires it’s coders right after a release. So you have a bunch of angry coders who know too much about the code… That’s not good… I don’t think it’s just bad luck, but a mix of “what goes around comes around”.
    ++ The web is not supposed to be about installing plugins that run on your machine instead of on a server, like a normal webpage; plugins that add processes to your machine that never stop running, etc.
    The way flash behaves, often reminds me of rootkits. I don’t know if it’s the same now, but I remember fighting against the flashplayerupdate process, like it was a virus. After that, all adobe got banned from my computers, and I really don’t miss it!! If a flash is absolutely necessary to watch: google chrome. And it seems dramatic security flaws are exposed weekly…