This is a pretty serious flaw and sadly proves Steve Jobs right for not supporting Flash on the iPhone and Ipad. A new twist is that this vulnerability extends to mobile platforms such as Android due to the full support for flash. It also effects desktop systems across the board (Windows, Mac, Linux & Solaris).
Adobe revealed a critical zero day flaw in Adobe Flash–the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.
An Adobe spokesperson contacted me and shared that, “A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.”
In a nutshell, the critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.
The Adobe spokesperson explained, “Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.”
There are reports of this vulnerability being exploited in the wild, but I haven’t really seen any details of it so far. It’s an interesting point regarding smart-phones and I wonder how Android developers might look at addressing this kind of issue and safeguarding the phones in the future.
A sandbox method might be a good idea, and from what I know of Android you don’t have root privileges by default anyway. We’ll have to see if Android makes any announcements regarding this or comes out with any kind of plan for future safeguards.
Those best practices are long established among the traditional desktop computing platforms, but users running Adobe Flash on Android smartphones may be left wondering exactly which “best practices” will protect them. Smartphones have grown into palm-based portable computers–with processing power and storage space significant enough to be a worthy target–but smartphone security is not as evolved as its desktop and notebook counterparts.
As Microsoft has improved its software development processes and implemented new security controls in the Windows operating system and other applications, attackers have looked elsewhere to find the chinks in the armor. Adobe has emerged as the virtually ubiquitous low-hanging fruit–with security practices that are not as mature as Microsoft’s, and software with potentially exploitable weaknesses available on pretty much every platform out there.
The iPhone and iPad stand uniquely apart from other smartphone and tablet platforms thanks to Apple’s very public rejection of Adobe Flash for iOS. While the real reasons probably have more to do with iAd and wanting to exert tighter control over the developer community, security is also a concern that has been cited. Zero day flaws like this one, which potentially impact Android smartphones running Adobe Flash, seem to illustrate the wisdom of that choice.
You can read the security advisory from Adobe here – Security Advisory for Flash Player, the fix has not been issued as yet but they do state they are working on it so expect a flash update soon.
It’ll be interesting to see what comes of this and how fast Adobe can push a patch out.
Source: Network World
Recent in Exploits/Vulnerabilities:
- Cupid Media Hack Exposes 42 Million Passwords In Plain Text
- Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol
- Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks
- Researcher Releases Android Exploit In Webkit Browser Engine
- Android Malware App Covertly Makes Purchases On China Mobile Market
- Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 222,904 views
- AJAX: Is your application secure enough? - 118,529 views
- eEye Launches 0-Day Exploit Tracker - 84,955 views