September 13, 2010

Adobe Systems Inc. warned Monday that attackers are exploiting a previously unknown security hole in its Flash Player, multimedia software that is installed on most computers.

Adobe said a critical vulnerability exists in Adobe Flash Player versions 10.1.82.76 and earlier, for Windows, Mac, Linux, Solaris, UNIX and Android operating systems. In a security advisory, Adobe warned that the flaw could cause Flash to crash and potentially allow an attacker to seize complete control over an affected system.

Worse still, there are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player. Adobe’s advisory states that while the latest versions of Adobe Acrobat and Reader also contain the vulnerable Flash components, the company is not aware of attacks against the Flash flaw in those programs.

That last bit may be of little comfort to Adobe Acrobat and Reader users: Last week, Adobe issued a similar advisory warning that hackers were attacking an as-yet unpatched critical flaw in both of those programs.

Adobe said it is in the process of finalizing a fix for the Flash issue and expects to provide an update for Flash Player on Windows, Mac, and Android systems during the week of Sept. 27, 2010. Updates to fix the Flash flaw in Adobe Reader and Acrobat should be ready by the week of October 4, 2010, Adobe said.

Flash is one of those Web components that can be difficult to do without. I often urge readers who use Firefox to install and use the Noscript add-on, which blocks Flash-based content by default and lets the user decide which Flash videos to enable.


37 thoughts on “Adobe Warns of Attacks on New Flash Flaw

  1. Faust

    FYI, In addition to Noscript, I use Flashblock for those sites that I’ve whitelisted in Noscript but still don’t want to see the dang Flash.

  2. JCitizen

    SpywareBlaster also has a flash killer for PC. It is freeware, unless you care to donate, or buy the auto-updater. It comes in pretty handy for IE8, as you can disable flash until you need it; and then disabled it again. It is in the tools section and it is up to version 4.4 now, for those that are interested.

    Also it has a system snapshot feature and several more; uses absolutely no resources that I’ve been able to detect. If a host file could slow a PC down, I’ve never noticed it.

  3. Brian

    One could also use the Chrome browser. There is a Flashblock extension, and the Flash plugin is built into the browser, so it will be updated as soon as Adobe issues a patch, which is a benefit to the “patch weary.” To my understanding, this also means that the threat is further mitigated due to the Chrome sandbox. Cheers!

    1. Brian (Not Krebs)

      Well, it would appear that Adobe has fixed the flaw. There is a new version of Flash, and Google has updated Chrome accordingly. When I visit Adobe.com they detect the new version. I haven’t seen this reported anywhere yet. Cheers!

      1. JBV

        Thank you, other Brian:

        Chrome was updated last night.

        Many PC’s also have IE installed, whether you use it or not, and Adobe Flash Version 10,1,82,76 requires a separate download through IE. As usual, there are other offers included, so one must remember to uncheck the box for whatever toolbar is included by default.

      2. BrianKrebs Post author

        @notKrebs — That’s incorrect. Adobe has *NOT* fixed this vulnerability with a patch. If you’re seeing Google’s Chrome update to Flash v. 10.1.82.76, then you are seeing it finally update to the latest version. 10.1.82.76 does not include a fix for this vulnerability.

        1. JBV

          One problem with Chrome’s updates, automatic or not, is that it doesn’t tell you what is being updated. Chrome has updated twice in the last week, and who knows what it did.

          Secunia scan is still showing Flash as up-to-date, for Version 10,1,82,76 (the vulnerable version).

          Guess we’ll have to wait for the real Brian to post a “Time to Patch” reminder.

        2. TenorBrian

          @BrianKrebs…

          OK…I gave myself the moniker TenorBrian to differentiate myself.

          I’ll doublecheck the Flash version, but I’m -almost- positive it was a step up. I also remember the last update and Chrome had it within 24 hrs. The Chromium release blog says that this latest release was for 2 “high” bugs and one “critical.” But it also specified a new version of Flash. If there is a new version, why would Adobe release one so close to the previously expected critical fix?

        3. TenorBrian

          Actually, Adobe seems to have issued a fix for Chrome users before the “general public,” so to speak. Read more at googlechromereleases.blogspot.com/ and at the link to Adobe’s fix therein. Cheers!

          1. JBV

            Now I’m totally confused: Is Flash patched or not? Or is there a new version available? In Chrome or in IE?

            Maybe Brian (not a Tenor) can help sort this out?

          2. JCitizen

            @TenorBrian;

            I can see why you figure the patch they mention in your Chrome links fixes the problem; but I’ll wait and see.

            I can wait for it to come out on PSI or FH’s update checker.

          3. BrianKrebs Post author

            Yes, Adobe has shipped an update for Chrome users. I’m glad Adobe is pushing stuff out asap on the one hand, but Adobe’s patching process leaves a lot to be desired.

            Here’s the news verbatim from their (updated) advisory:

            We now expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems on Monday September 20, 2010. A fix is now available for Google Chrome users. Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

  4. emv x guy

    My current major bugbear with Adobe is that having disabled JavaScript every time I open a PDF (whether it contains JavaScript or not) I get the message:
    ‘This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they’re disabled.’
    Then to compound the annoyance Adobe have disabled the ability to say no by hitting the n key… and make me mouse/click no twice.
    Thus far I’ve found no way of telling Adobe I don’t want JavaScript; and I don’t want it forced down my throat every time I open a PDF.
    Adobe knows full well that it’s the weak link but stubbornly refuses to let users permanently disable it’s major flaws…. all very annoying.

    1. Blair

      Well, you could always tell them by using a different reader…

      1. emv x guy

        Yes, I could but I’ve not been able to find one that will allow you to watermark or overlay a background design to 100% of A4… as a reader I’ve happily used Primo and a number of others but unfortunately none are quite as good as Adobe when it comes to making documents that are as polished.

        1. Jimmy

          I’m afraid when it comes to Adobe, you’ll have to choose between polished or pwnd.

    2. drzaiusapelord

      Is version 9 doing that? I noticed that in the current versions of 9 that you can disable javascript and you’ll only get a prompt when you open a js enabled PDF. Regular PDFs won’t do this. Also, it will ask you to enable per document.

      In 8 you’ll get the warning you describe, where it asks you to enable it globally.

  5. Peter

    I know it takes time to find the actual problem, code the fix and test it but wow Adobe is slow to patch these attacks. Two weeks to fix a Flash vulnerability with known exploits and close to a month for Acrobat/Reader. Adobe needs a little bad press around the slow response to zero day attacks in my opinion.

  6. PJ

    Re: ClickToFlash for Mac users — it is also available via Apple’s Extensions site for Safari 5 users. The version posted there is 1.7.4, apparently by another author.

  7. xAdmin

    I wish Adobe provided better information. Their security advisory is greatly lacking in pertinent details. Their Product Security Incident Response Team (PSIRT) Blog isn’t any better (see link below). For example, how does this allow an attacker to gain complete control over an affected system if you’re running as a limited user (non-admin)? Are there any mitigating steps available other than uninstalling Flash Player? Does running IE in No Add-ins mode mitigate the threat? I don’t want to install other software to mitigate the threat!

    http://blogs.adobe.com/psirt/

    Adobe is becoming the joke of the software industry. In their security advisory for Adobe Reader, the only mitigating step they state is to “utilize Microsoft’s Enhanced Mitigation Evaluation Toolkit (EMET)”. Hah, that requires .NET which I purposely choose not to install to lower my system’s attack surface. So, in order to mitigate their vulnerability, I need to install other software that has the potential to raise my attack surface? Great! Thank goodness Foxit fixes that one!

    1. BrianKrebs Post author

      yes. a number of security and anti-virus industry folks have identified it in the wild. I think the first sites seen exploiting this are (surprise!) in Asia (Korea to be exact).

  8. Ned

    I can understand why end-users still use Adobe, but people who read this site? I mean apart from $work computers where they may not have the choice. What a joke.

    1. JBV

      Some people who read this site are “end-users” and we use Adobe Reader to fill out IRS and state tax forms. Can you suggest an alternative?

  9. CWH803

    Adobe Flash Player and Adobe Reader defects have led me to mitigation strategies.

    In XP IE8 I use FlashSwitch to keep Flash Player off and toggle it one only when I want to see a Flash file. In Win 7 IE8 I use the Manage Add-ons tool to perform the same function of temporarily enabling Flash and returning it to the disabled state. I prefer these two methods over SpywareBlaster’s Flash Control because they are real-time and don’t require an IE8 restart to function.

    For mitigating Adobe Reader defects in both XP and Win 7 I use Foxit Reader with JavaScript disabled.

    1. xAdmin

      What is the difference in IE 8 on Windows XP vs. Windows 7 where FlashSwitch is required on one, but not the other? I would think IE’s Manage Add-ons would work the same on either platform.

      My standard practice when concerned with the highest security, is to run IE in No-Add ons mode where ALL add-ons are disabled (ex. when using online banking). Otherwise, I’m relying on other defensive measures to lower my risk (ex. blocking hosts file, non-admin account, etc.) Although, with the Flash Player vulnerbilities in recent months, I’m beginning to question keeping it on my systems. Unfortunately, there isn’t a viable alternative for various websites I frequent that need Flash. 🙁

      1. JCitizen

        I agree xAdmin. The way I understand it, if flash is on the PC then any malware built to exploit it can use it whether disabled or not.

        This is why I like the flash killer in SpywareBlaster, as the application cannot start at all, even when installed on the PC. So far I have never seen malware capable of circumventing this in my honeypot lab.

  10. Spiros

    Welcome to the war between HTML5 and Flash. I don’t remember so many issues with the flash before the HTML5 adoption.

    1. drzaiusapelord

      Flash has been a security nightmare for some time now. HTML5 is meaningless in this context. Its not going to at all compete with the flash product, but perhaps with a basic flash video for producers who want very basic functionality.

      1. JCitizen

        Interesting post drzaiusapelord; I really do need to research the new standard more. Personally I wished more web-sites used Silverlight. At least it seems to keep up with the vulnerabilities in a more timely fashion.

        And on the face of it; known vulnerabilities are farther and fewer between. I find it way more reliable and functional too; especially with HD video.

  11. AlphaMack

    Flash isn’t only a security nightmare, but a pain to update. I would prefer standalone executables to quickly update a batch of Windows PCs, but Adobe would rather have me download their stupid DLM instead. So for the ActiveX version I have to get it from within Firefox and the “everyone else” version from within IE.

    Moreover, what ever happened to the automatic updater prompt? Why doesn’t it check when it’s supposed to? Why should I have to rely on a Firefox update to tell me that I have an old copy of Flash?

    Adobe, you suck.

  12. LeGeNd

    thanks
    but i was looking for the exploit in metasploit i didn’t get it
    is there any exploit available until now

Comments are closed.