Adobe Flash Player patched for zero day vulnerabilities
On Sunday, June 5, 2011, while I was enjoying a steak dinner, Adobe was busy releasing critical patches for its ubiquitous Flash Player. The bulletin, strangely rated as only "important," addresses Vulnerability identifier: APSB11-13 and CVE number: CVE-2011-2107 and affects all operating systems and platforms, including smart phones.
A vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
Note the last sentence in the blockquote, where it refers to malicious links in email messages. For the last two weeks I have been updating my custom MailWasher Pro spam filters to combat these very links. Spam email has been pumped out by rented botnets, pretending to come from Adobe, Skype and a filesharing program that is claimed to be an alternative for the now dead LimeWire system. All contain links to exploit websites, all of which are hosted on servers in China. The goal was to draft more innocent computers into spam botnets.
The Adobe scam claims to provide an urgent update for Adobe Flash, Acrobat and Reader software. Please believe me when I tell you that Adobe does NOT send out unsolicited email messages to the general public, announcing updates to its products.
The facts is that there were serious zero day, highly targeted attacks launched from China, disclosed last week by Google, exploiting a previously unpublished cross site scripting vulnerability in all versions of Adobe Flash. Kudos to the Adobe security team for rushing out patched versions so quickly.
Affected operating system platforms:
The Flash vulnerability patched on June 5 affects all of these platforms: Windows, Macintosh, Linux and Solaris computers/servers and Google Android hand held devices.
All known browsers are affected, but especially Internet Explorer, which uses an ActiveX version. In fact, IE got a newer version that Firefox and Opera: version 10.3.181.23 for ActiveX. The Flash plug-in for Firefox and Opera is version 10.3.181.22. Google has a special bundled version of Flash inside its Chrome browsers and has just released Google Chrome 11.0.696.77.
Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems is exploitable by the latest zero day attacks.
Android phone and tablet users will have their update available on or after the morning of June 6, 2011. All versions of Flash for Android up to 10.3.185.22 are vulnerable.
How to get your update for Adobe Flash.
All users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris can upgrade to the newest version downloading it from the Adobe Flash Player Download Center. Windows users and users of Adobe Flash Player 10.3.181.16 for Macintosh can install the update via the auto-update mechanism within the product when prompted.
Windows users take note: You must upgrade Internet Explorer's ActiveX Flash, even if you use another browser as the default browser for your computer. Other programs and email clients may use that vulnerable Flash component. Then, update your Firefox, Opera and or Chrome browsers, which use a different flavor of Flash. Don't forget to close them after the installation, to finish the upgrade.
Adobe Flash for Ubuntu is distributed by means of the Software Update Manager, in the form of a special package. Use your Update Manager every few days, or at least once a week, to check for and apply all available patches and updates, not just Flash.
After you update Flash in your browsers, restart them to complete the installation (you have to flush out the previous version which may have been in use). Then, visit the Adobe About Flash web page and verify that you have the latest version, as shown on that page.
If you encounter any problems upgrading Flash, or uninstalling previous versions, please visit the Adobe Flash troubleshooting page.
Epilogue
Adobe Flash one is one the more frequently exploited pieces of software, behind the Java Virtual Machine, now owned by Oracle. Incidentally, Oracle is about to release a critical patch for Java. I'll let you know when it has been released. Make yourself aware of the dangers of running exploitable software and how to check each type for security updates and patches. If you stay in the loop regarding security news and software updates, your computers will remain more secure that if you let it slide and just hope it goes away.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.