Adobe on Monday issued two emergency fixes for critical security vulnerabilities in its Flash Player product. The vulnerabilities, if left unpatched, could allow an attacker to take control of a system running a vulnerable version of Flash Player.
Adobe on Monday issued two emergency fixes for critical security vulnerabilities in its Flash Player product. The vulnerabilities, if left unpatched, could allow an attacker to take control of a system running a vulnerable version of Flash Player.
The Security Bulletin, APSB12-05, includes updates for two vulnerabilities, identified as CVE-2012-0768 and CVE-2012-0769. The company said the holes, reported to Adobe by security researchers Tavis Ormandy and Fermin Serna of Google, affect a wide range of platforms, including Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. The company said that the holes were Priority 2 vulnerabilities, and said it did not know of any active attacks leveraging the vulnerabilities.
Customers were advised to patch vulnerable systems within 30 days.
Attackers have long sought out vulnerabilities in Flash, Acrobat and Adobe’s other software products, which are ubiquitous. In just the latest example, an Adobe Flash vulnerability fixed last month is being used in targeted attacks, with attackers attempting to persuade victims to open a malicious Word document that contains the payload for the Flash bug.
That vulnerability, CVE-2012-0754, has been patched for nearly a month, but history has shown that flaws that have been patched for several months or even years are still quite valuable for targeted attacks, according to a blog post by researcher Mila Parkour at Contagio.
Parkour analyzed one of the recent targeted attacks and found that the malicious code attempts to download an MP4 file that looks benign. The subject of the email that contains the exploit is “Iran’s Oil and Nuclear Situation” and it includes an attached Word document. If the victim opens the Word file, the Flash code inside tries to download an MP4 file from a remote server. That file contains the actual exploit code that triggers the Flash bug.
