Wednesday, February 27, 2013

New Adobe Flash Exploits In-The-Wild,
New Critical Adobe Flash Update:
v11.6.602.171

--

Wow. Yet another Adobe Flash update, the third so far this year. Two of the three patched CVE security holes are being actively exploited in-the-wild, making this update CRITICAL.

Where to download the latest version of Flash, in this case v11.6.602.171:

http://get.adobe.com/flashplayer/

Adobe's related security reports:

Today, a Security Bulletin (APSB13-08) has been posted to address security issues in Adobe Flash Player 11.6.602.168 and earlier versions for Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.270 and earlier versions for Linux.

Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox.

Adobe recommends users apply the updates for their product installations.

Security Bulletin (APSB13-08)
  • Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
  • Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.
  • Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
  • Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.
. . .
This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643).

This update resolves a vulnerability in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code (CVE-2013-0648).

This update resolves a buffer overflow vulnerability in a Flash Player broker service, which can be used to execute malicious code (CVE-2013-0504).

Stop Adobe Flash In Your Web Browser!

Because of drive-by infections via malicious Flash files, I HIGHLY recommend stopping Flash files dead in your web browsers until YOU approve them running. I have updated my list of web browser Flash blocking add-ons/extensions:

Safari: ClickToFlash, Plugin Customs

Firefox: Flashblock, NoScript

Chromium: Flashblock, FlashControl, SafeScript (ScriptNo)

Opera: Use the Preferences:Advanced:Content:"Enable plug-ins only on demand" checkbox. Also sort of useful is NotScripts(Note: NotScripts is kind of a PITA to setup, but works once you have your JavaScript cache set, as prescribed, to 5000K).

:-Derek




--

No comments:

Post a Comment