{"id":3095,"date":"2011-04-18T11:17:21","date_gmt":"2011-04-18T10:17:21","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3095"},"modified":"2015-09-09T19:37:15","modified_gmt":"2015-09-09T11:37:15","slug":"adobe-patches-latest-flash-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/04\/adobe-patches-latest-flash-zero-day-vulnerability\/","title":{"rendered":"Adobe Patches Latest Flash Zero Day Vulnerability"},"content":{"rendered":"

There’s been a lot of news about this Adobe Flash<\/a> Player vulnerability as apparently it has been exploited in the wild and Adobe were willing to push out an out-of-band<\/a> patch for it – which means in their eyes it is really serious.<\/p>\n

They don’t have a great reputation for testing their software before releasing (the latest 10.2.x versions seem to be causing a LOT of problems on Firefox), so we’ll just have to hope it’s a good patch. They promised the patch for another deadly 0-day back in March<\/a>, roughly about a month ago.<\/p>\n

At least it’s patched now and I truly hope that the latest version also stabilises Flash Player for Firefox<\/a>.<\/p>\n

Adobe today patched a critical vulnerability in Flash Player that the company said criminals were already exploiting with malicious Microsoft Word and Excel documents. On Monday, Adobe acknowledged the bug , said exploits were circulating, and promised to fix the flaw with an emergency update.<\/p>\n

Today’s update was Adobe’s second rush patch in less than four weeks. The new version, Flash Player 10.2.159.1, is available for Windows, Mac, Linux and Solaris. Missing from that list is Android, the Google mobile operating system that also runs Flash. A fix for the same flaw will be issued to Android users no later than the week of April 25, said Adobe.<\/p>\n

Adobe will patch the popular PDF viewer Adobe Reader that same week. The Flash vulnerability also exists in Reader and the more advanced Acrobat because both include code that renders Flash content embedded in PDF files. Although initial attacks were launched using malicious Word attachments, hackers later expanded the campaign to include malformed Excel files, according to Mila Parkour, the independent security researcher who reported the Flash flaw to Adobe.<\/p>\n

Parkour, who has been tracking the attacks for more than a week, has published information about them on her Contagio Malware Dump blog. <\/p><\/blockquote>\n

There’s no patch yet for the Android<\/a> version of Flash, but Adobe has promised it will be pushed out by April 25th (next Monday). Incidentally they will also be patching PDF Viewer and Adobe Reader<\/a> next week as they both render Flash and are also vulnerable to this exploit.<\/p>\n

So Flash content embedded in PDF files is a viable vector for infection using this vulnerability, in the wild both Word and Excel files were being used (with embedded Flash files) to exploit the vulnerability.<\/p>\n