Attacks are already seen in the wild
SOFTWARE MAKER ADOBE has released a security update for Flash Player in order to address several critical vulnerabilities, including one that is being exploited in the wild.
The Flash Player 10.3.183.10 for Windows, Mac and Linux, and Flash Player 10.3.186.7 for Android, contain patches for six security flaws.
One of them is a cross-site scripting (XSS) weakness that can be exploited to execute rogue actions on behalf of web sites or webmail providers if victims click on maliciously-crafted links.
"There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," Adobe warns in its security advisory.
XSS vulnerabilities are the result of improper user input validation and allow attackers to execute rogue code in the context of the current web site. For example, they can be leveraged to extract session cookies or load rogue forms into legitimate pages, which makes for very credible phishing attacks.
Adobe credits Google for reporting this cross-site scripting vulnerability, which is identified as CVE-2011-2444. This means it might have been detected in attacks against Gmail users.
Two other patched vulnerabilities allow for arbitrary code execution and are located in the AVM stack. One of them can also lead to a denial of service condition. Two remote code execution logic errors and a Flash Player security control bypass have also been addressed.
Users should deploy the new update as soon as possible because browser plug-ins like Java, Adobe Reader or Flash Player are amongst the most attacked pieces of software one can have on a computer. However, unlike Adobe Reader X (10.0) which features sandboxing technology, Flash Player doesn't have any anti-exploitation mechanism built-in.
Adobe is working on a sandbox-like technology for Flash, but that could still be one year away from a public release. In the meantime, the company has improved its update mechanism so that users are prompted to install new versions more quickly.
Chrome users have it the easiest because Google bundles a special Flash plug-in version with its browser and handles the update in a silent manner. In addition, Flash Player already runs in a sandbox under Chrome, so it is much harder to attack.
Popular Posts
-
New Line of Embedded Computers Offer Fast, Cost-effective and Lower Risk Solution The KR8-315 from Emerson Network Power is a fully integr...
-
Samsung expanded its Galaxy family with the announcement of a 7.7-inch Galaxy Tab tablet, and the Galaxy Note, a smartphone that blurs the...
-
Steve Jobs Died today in a lorry accident. Steve was an excellent friend of Henry James. Henry met Steve at New York. Henry Bought S...
-
The income of the richest 1 percent in the U.S. soared 275 percent from 1979 to 2007, but the bottom 20 percent grew by just 18 percent, new...
-
He keeps them in warm, comfortable bug dorms, feeds them on meals of human blood with the occasional sugar water snack and lives in awe of t...
-
U.S. officials are warning the killing of American-born militant cleric Anwar al-Awlaki, the face of al Qaeda in the Arabian Peninsula, coul...
-
The Pentagon will permit military chaplains to perform same-sex marriage as long as such ceremonies are not prohibited in the states where t...
-
Skrill, a large European online payments provider which operates under the Moneybookers brand, has completed the acquisition of payolution, ...
-
Britney Spears - Im Just A Girl With A Crush On You Found at Im Just A Girl With A Crush On You on KOhit.net
-
Want to get ahead? Here are 10 key people you'll need in your network to help you succeed. It is important to know the two Q's as ...
0 comments:
Post a Comment