October 28, 2010, 10:03AM
New Adobe Flash Bug Being Exploited
14 Comments
On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks.
The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader.
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.
Editor's Pick
This flaw is the latest is a string of bugs that have cropped up in Adobe products in the last few months. There have been a number of critical flaws exposed in Flash, Reader and other Adobe software, including one in the company's Shockwave application, which it is patching on Thursday. The Shockwave flaw is remotely exploitable and the details of it have been known publicly for some time.
Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15.
Commenting on this Article is closed.
Today's Most Popular
- Anatomy of a LulzSec Attack 'Singles Out' Web 2.0 Weakness
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Google to Notify Users of DNSChanger Infections Ahead of July 9 Deadline
- Facebook Cancellation Malware Disguised As Adobe Update Making Rounds
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
Would like to see a link at the bottom of these stories with information on
ways to protect yourself when waiting on these patches. Not just on this alert but all
alerts you might post here in the future.
We typically include that information when it's available, but sometimes there are no mitigations available for a particular bug. Adobe did put a link to some mitigation advice in its advisory, but the link was broken when I clicked through.
Here's an idea... uninstall flash. Or better yet, stay off the internet :D
Then fire up your 256 core Beowulf cluster to enable you to run the improbably bloated version of FatFox you now have. Or just turn off flash for two weeks.
As I told year ago, Flash is devil.
Can someone point to some tecnhical information about the bug? was it a buffer overflow? a wild pointer?
Getting freaking tired of patching Adobe products. Adobe attacks account for almost %50 of the incidents out there. Maybe the Chinese or Russian owns Adobe... Adobe, get your f**king products acts together...
You try writing a piece of software across 10 different platforms that can practically do everything a desktop application can do. Also, install it on 90%+ off all devices with a browser, so it makes it a really really juicy target for malware writers.
Software will always have a few with bugs, regardless of what platform (software or hardware) you choose. Whether your platform is going to be targetted is a different story, largely dependent on whether you have 50%+ of the market.
How much faster do you think computers would be if absolutely no security measures were needed? In programming , I have noticed that I can trade security for efficiency at an alarming rate, seems like computers would work much, much faster if there wasn't people making viruses and such...
But at least these issues are addressed when they appear, though the programmers should really know their programs enough to fix them before they are released to the public like this...