Adobe Systems Inc. issued a high-priority security update for its ubiquitous Flash Player software, repairing seven critical vulnerabilities, including a cross-site scripting (XSS) flaw that is being actively targeted in phishing attacks against Internet Explorer users.
There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
Adobe Systems Inc.
The Adobe XSS flaw affects the Flash Player browser plug-in component and all browsers, but ongoing phishing attacks appear to be affecting IE users. It can be used “to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website,” Adobe said in a security bulletin issued Wednesday.
“There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only),” Adobe said.
The six other flaws include a variety of memory corruption and security bypass errors. “These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.
The update affects users of Adobe Flash Player on Windows, Macintosh, Linux and Solaris systems, as well as Flash Player for Google Android devices.
Adobe has been slowly building protections around its Flash Player plug-in. The company has sandboxing features for Google Chrome users. Last week, Adobe issued a beta version of Flash Player sandbox for Firefox users. Sandboxing makes it more difficult for attackers to break out of Flash Player and gain access to other critical systems and components on a victim’s machine.
Shockwave Player update
The Flash Player update is the second security bulletin issued by Adobe this week. On Tuesday, the software maker issued an update to its Shockwave Player, repairing eight vulnerabilities. The update affects users of Shockwave Player 126.96.36.1993 and earlier versions on Windows and Macintosh machines.
Adobe said the critical update repairs a variety of memory corruption vulnerabilities and a heap overflow flaw that could lead to remote code execution. “These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system,” Adobe said.
“While not quite as popular as Adobe Flash, it has a large installed base and has seen its share of use in Web-based attacks,” said Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc.