Friday, April 15, 2011

Adobe Alerts, Patches Latest Flash Zero-Day Hole

Adobe said Friday that it has identified and issued a patch for Adobe Flash Player, just days after issuing a similar patch.

Adobe issued Adobe Flash Player 10.2.159.1 on Friday, for users of Flash version 10.2.153.1, and Adobe Flash Player 10.2.154.25 for those that use Chrome. Adobe also said it recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140.

Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011, the company added.

Why? According to Adobe, there have been reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform. The updates resolve a memory corruption vulnerability that could lead to code execution, Adobe said.

That's basically the same vector that a previous vulnerability exploited on Wednesday.. Adobe said then that it was not aware of PDF-related attacks in Reader or Acrobat, and Adobe Reader X Protected Mode mitigations would prevent that type of exploit from happening.

As PCMag's Larry Seltzer points out, this type of vulernability might sound familiar. It's quite similar to another Flash zero-day from several weeks ago that was embedded in an Excel file and used to attack RSA.

Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue, Seltzer noted.

Read more: http://www.pcmag.com/article2/0,2817,2383670,00.asp

No comments:

Post a Comment