Adobe today warned that hackers are exploiting a criticalvulnerability in its popular Flash Player program, and issued anemergency update to patch the bug. "There are reports that the vulnerability is being exploited in thewild in active targeted attacks designed to trick the user intoclicking on a malicious file delivered in an email message," theFriday advisory said. Microsoft Internet Explorer Although all editions of Flash Player contain the vulnerability andshould be patched, the active exploit is targeting only users ofMicrosoft's Internet Explorer (IE). Flash Player for IE is an ActiveX plug-in, the Microsoft-onlystandard; other browsers, including Firefox and Chrome, use adifferent plug-in structure. The update was pegged with Adobe's priority rating of "1," used tolabel patches for actively-exploited vulnerabilities or bugs thatwill likely be exploited. For such updates, Adobe recommends thatcustomers install the new version within 72 hours. Adobe disclosed relatively few details about the vulnerability --its usual practice -- other than to label it an "object confusionvulnerability," note the Common Vulnerabilities & Exposures IDof CVE-2012-0779, and acknowledge that triggering the bug "couldcause the application to crash and potentially allow an attacker totake control of the affected system." It's unclear how extensive the active attacks are, although Adobe'scalling them "targeted" hints at a low volume of attempts aimed atspecific individuals or companies. Today's Flash Player update was the fourth this year -- the latestbefore Friday was on March 28 -- putting the frequently-patchedprogram on about the same pace as last year, when Adobe issued atotal of nine Flash security updates. In March, Adobe addressed the frequent updating pain point -- atleast for Windows users -- by shipping Flash Player 11.2, whichuses a silent, background update mechanism. The silent update is supposed to kick in in somesituations to automatically patch the plug-in in IE, Firefox,Safari and Opera on Windows without notifying or bothering users. At the time, Adobe said it would switch on silent updates " on acase-by-case basis," but hinted that the service would primarily beused to distribute patches for zero-day vulnerabilities, such astoday's. Friday, Adobe confirmed that it has, in fact, enabled Flash silentupdates for Windows in this instance. A Computerworld Windows 7 system, however, was not silently updatedto 11.2.202.235, the patched version, within an hour of booting thePC, the interval the tool uses to check for new updates. Adobe wasunable to explain the problem, other than to suggest an initialfailure by those browsers to connect to its servers. In that case,the silent updater is designed to stop pinging Adobe for 24 hoursbefore resuming. The current stable version of Chrome -- Google's browser is theonly one that includes the Adobe software in its updates -- reportsrunning the patched 11.2.202.235 edition of Flash Player. Googleshipped that version of Chrome, 18.0.1025.168, on Monday, April 30,giving it a four-day jump on Adobe's plug-in patching. It was Chrome's largest-ever lead: previously, Google has beaten Adobe to Flash Player patching by hours, or at most a day. Adobe today again explained Chrome's faster Flash patching bynoting that it hands Flash updates to Google as "soon as we updatedthe code," but needs more time on its part to test fixes on scoresof operating system and browser combinations before it's confidentenough to ship the update to all users. Microsoft's vulnerability research group reported the Flashvulnerability to Adobe. The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe'swebsite. Windows users can wait for the silent updater to kick in,run Flash's update tool or wait for the software to prompt themthat a new version is available. Android users will be able to download the new version from GooglePlay, formerly the Android Market, later today, said Adobe. To determine which version of Flash Player is running in anyparticular browser, users can steer to this Adobe page . Gregg Keizer covers Microsoft, security issues, Apple, Web browsersand general technology breaking news for Computerworld. FollowGregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com. We are high quality suppliers, our products such as Sanitary Disposal Bags Manufacturer , Hotel Slipper Manufacturer for oversee buyer. To know more, please visits Leather Stationery Folder.
Related Articles -
Sanitary Disposal Bags Manufacturer, Hotel Slipper Manufacturer,
|