Urgent: Patch Adobe Flash to Protect against Zero-Day Exploit
Adobe issued a critical update today for its Flash Player software. The patch fixes six security vulnerabilities, at least one of which is a zero-day vulnerability being actively exploited in the wild.
The details of the Adobe security bulletin explain, "This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444)," adding, "Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."
The zero-day bug fixed today is similar to a flaw in Flash that was patched in June. Coincidentally, both the June vulnerability, and this one patched today were reported to Adobe by Google.
I have not seen any official indication that the Flash zero-day had anything to do with the Diginotar hack that compromised digital certificates used to authenticate websites as legitimate--but the timing seems about right.
Just as flaws in the ubiquitous Adobe Flash were exploited to infiltrate RSA Security and compromise the encryption keys used in RSA's SecurID two-factor authentication tokens, Flash may also have been the Achilles heel of Diginotar.
Adobe Flash is nearly universal. With Adobe Flash Player software and browser plug-ins available for virtually every operating system and browser, this zero-day flaw could potentially impact 90 to 95 percent of the PCs in the world.
Andrew Storms, director of security operations for nCircle, connects the dots. "Adobe said that today’s bug 'could be used to act on the user's behalf with webmail providers.' I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user's Gmail account."
Storms implores, "It’s time for all IT teams to circle the wagons and patch Flash as soon as possible."
I'll see Storms' "IT teams", and raise him an "everyone who uses Flash". Go download and install the Adobe Flash update now.