Hackers exploit latest Flash bug on large scale

Hackers are aggressively exploiting a just-patched Flash vulnerability, serving attack code "on a fairly large scale" from compromised sites as well as from their own malicious domains, a security researcher said Friday.

The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second "out-of-band," or emergency update, in nine days.

"CVE-2011-2110 is being exploited in the wild on a fairly large scale," said Steven Adair, a researcher with the Shadowserver Foundation, a volunteer-run group that tracks vulnerabilities and botnets. "In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs [non-government organizations], aerospace companies, a Korean news site, an Indian government Web site, and a Taiwanese university."

CVE-2011-2110 is the identifier for the Flash vulnerability assigned by the Common Vulnerabilities and Exposures database.

Attackers are also using the exploit in "spear phishing" attacks aimed at specific individuals, said Adair on the Shadowserver site.

Adair called the attacks "nasty" because the exploit "happens seamlessly in the background," giving victims no clue that their systems have been compromised.

When Adobe patched the vulnerability last week, it conceded that exploits were already in use.

Adair also said there's been an increase in Flash-based attacks. "There has been an ongoing assault against Flash Player for several years now, but especially so in the last three months," Adair said.

Adobe has patched Flash Player four times in the last two months, and six times so far this year. Of the six updates, five addressed "zero-day" bugs that attackers were already exploiting at the time the patches were issued.

Brad Arkin, Adobe's director of product security and privacy, acknowledged the problems in keeping ahead of attackers, but blamed the popularity of Flash Player for the attention.

"The installed base [of Flash Player] is a real big part of it," said Arkin. "It's such a widely distributed technology that attackers find it worthwhile to invest the time to carry out some kind of malicious activity. They're making an investment for the biggest return possible."

Arkin also argued that attackers get more bang for their buck by rooting out Flash vulnerabilities than they do looking for bugs in individual browsers because virtually every personal computer has the Flash plug-in installed. "Flash is the code [used in the browser] that has the highest market penetration," he said.

According to Adair, the exploit of CVE-2011-2110 has been in use since June 9, five days before Adobe issued its latest security update. Arkin corroborated that timeline.

Although Adobe's working on boosting Flash's security -- it's collaborated with Google, for example, to sandbox Flash in Chrome -- for now, its best defense is to quickly react to exploits with a patch.

"I think we're more aggressive than Microsoft," said Arkin, referring to the two companies' approaches to shipping out-of-band updates. "Basically, if we have information about attacks in the wild, or if the information is out there on a [security] mailing list -- which means attacks are imminent -- that tends to be a trigger for us to think about an out-of-band."

Microsoft's criteria for deciding whether to issue an emergency patch is confidential, but the company has said it generally considers an out-of-band fix if it sees attacks increasing in volume.

By pushing out a patch as quickly as possible, Adobe believes it squelches discussion among security researchers and attackers.

"If there are attacks in the wild, there will be lots of blog posts analyzing the vulnerability and exploit," said Arkin. "The information migrates from the high end to the low end very quickly. So we squash the debate by fixing it."

Arkin said Adobe has focused on getting patches out quickly, and that the fix for an earlier Flash vulnerability -- one Adobe released June 5 -- had a turn-around of less than 72 hours.

"The more practice we have, the faster we turn around [patches]," Arkin said.

Adair urged everyone to keep Flash Player up-to-date. "If you or your organization runs Adobe Flash and you're not keeping up on these patches ... you are in bad shape," he said.

The newest version of Flash Player can be downloaded from Adobe's Web site. Alternately, users can run the program's integrated update tool or wait for the software to prompt them that a patched edition is available.

Adobe finally patches second Flash zero-day in 9 days

Hackers exploiting bug, company confirms as it also updates Reader, ShockWave and ColdFusion

For the second time in nine days, Adobe on Tuesday patched a critical vulnerability in Flash Player that hackers were already exploiting.

Adobe also updated its popular Reader PDF viewer to quash 13 new bugs and several older ones the company had not gotten around to fixing.

The memory corruption vulnerability in Flash Player was pegged "critical" by Adobe, which said that the bug could "potentially allow an attacker to take control of the affected system" in an accompanying advisory. "There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages," the advisory added.

Adobe last issued an emergency update -- dubbed "out-of-band" -- on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials.

Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists, with messages that tried to trick them into entering their username and password on a fake Gmail login screen.

Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash.

Adobe has patched Flash Player four times in the last two months, and six times so far this year.

Although most Flash vulnerabilities can also be exploited using specially crafted PDF documents -- Adobe's Reader includes "authplay.dll," a custom version of Flash that renders content within PDFs -- Adobe said the newest Flash bug doesn't impact Reader.

Alongside the Flash security update, Adobe also fixed 13 new vulnerabilities in Reader. The newest version, Reader X, received at least 17 patches.

All but two of the 13 new bugs were pegged "critical" by Adobe, which like Apple doesn't rate flaws with a multi-label scoring system. Instead, it uses the phrase "could lead to remote code execution" to note that hackers may be able to hijack the system and plant malware on the machine by exploiting the bug.

The baker's dozen of new bugs included memory corruption vulnerabilities, buffer and heap overflow bugs, a cross-document scripting flaw, a DLL load hijacking vulnerability and one simply labeled a "security bypass" bug.

That last was a Reader X-only vulnerability that under certain circumstances lets an attacker force the Reader browser plug-in to download a non-PDF file, Adobe said in a reply to follow-up questions.

Adobe also applied at least four -- and perhaps several more -- patches to Reader X that it had declined to fix in three earlier out-of-band updates going back to March.

Although the company had patched older editions in those updates, it had not fixed Reader X, saying each time that because the program's "sandbox" prevented malware from affecting the computer, it would instead wait for Tuesday's already-scheduled quarterly update.

Reader X, which Adobe rolled out last November, includes anti-exploit sandbox technology designed to isolate the program from the rest of the system. Theoretically, the sandbox insures that malware which does launch inside Reader X can't escape to infect the PC or Mac.

According to Adobe, none of the Reader vulnerabilities patched Tuesday have been exploited in the wild.

At the same time it shipped the Flash Player and Reader security refreshes, Adobe also patched 24 vulnerabilities in Shockwave Player, two in LifeCycle Data Services and Blaze DS -- a live streaming service and data push service, respectively -- and two in ColdFusion, an Adobe development platform.

The patched versions of Reader and Flash Player can be downloaded from Adobe's Web site. Alternately, users can run the programs' integrated update tool or wait for the software to prompt them that a new version is available.

Security Updates Released For Flash Player, VLC

Adobe and VideoLAN have released security updates for some of their software programs today. Adobe released a new version of Adobe Flash Player which fixes a security vulnerability in the popular application. The security bulletin reveals that an important security vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier on all supported operating systems including Flash on Android. The cross-site scripting vulnerability could be used to impersonate a user on a website such as that of a webmail provider or financial website. Adobe confirmed reports that the vulnerability is actively exploited by embedded malicious links in email messages.

The update is classified as important which is the second highest severity rating available.

Flash users can verify the installed version of the application by visiting Adobe’s Flash Player page. The system is vulnerable to the attacks if the Flash version is 10.3.181.16 or earlier.

Download links are provided on the security bulletin’s page. The latest version can be downloaded from the official Get Flash Player page as well. Direct Downloads are available as well.

Adobe is currently not aware of attacks that use the authplay.dll component that ships with Adobe Reader and Acrobat. While the company is not aware of attacks at this point in time, it has not completed the investigation if authplay.dll is vulnerable to the recently discovered Flash vulnerability.

In other news: The developers of the popular video player VLC have also released a new version of their application to protect users from recently discovered security issues.

The release notes list an integer overflow vulnerability in xspf demuxer as well as several updates and rewrites of features in the latest version of the media player.

VLC users are encouraged to download and install the latest version of the player right away to protect their system from possible exploits.

Downloads are as usually offered at the official Videolan website.