Adobe Fixes Flash Zero-Day with Massive Security Update
By Tony Bradley
Adobe has been in the headlines for all the wrong reasons recently with new attacks exploiting flaws in Adobe Flash and Adobe Reader. Adobe has addressed the security vulnerabilities now with an immense update resolving a variety of serious issues.
It has been a very busy week for IT administrators and security professionals. Microsoft issued ten security bulletins addressing 34 vulnerabilities in its June Patch Tuesday, then followed with a security advisory for a newly unveiled zero-day flaw. Apple pushed out an update for the Safari Web browser that fixes 48 separate security vulnerabilities. And now, Adobe joins the party with its own huge security update.
“Adobe’s Flash update today contains a staggering 32 bug fixes, eerily reminiscent of Apple’s massive update. It’s been a busy couple of weeks for overworked security teams everywhere,” agrees Andrew Storms, director of security operations for nCircle, adding “It sure looks like Adobe is the new Microsoft–the place where security researchers love to find new bugs.”
A Websense alert from May 29 explains that the Adobe Flash vulnerability is being exploited through drive-by downloads on many infected Web sites. “Websense ThreatSeeker has been tracking these malicious web sites and have discovered numerous reputable web sites that are now unwilling participants, infecting their very own visitors. These sites are from various industries such as government, education, healthcare, finance, media, and entertainment. This attack also attempts to exploit other popular vulnerabilities such as MDAC, RealPlayer, and various ActiveX controls.”
Storms explains “It’s pretty clear that Adobe has had the zero-day bug that got a lot of attention last week for a while. It might look like Adobe made heroic efforts to fix this bug in short order, but it’s much more likely they have been working on the fix for a while and just finished the packaging and QA process.”
The persistent security issues fan the flames of the battle between Apple and Adobe over allowing Flash on the iPhone and iPad. Apple CEO Steve Jobs has cited security concerns as one reason he is opposed to Flash. However, if security concerns are reason for banning software from the iPhone and iPad, Apple may want to reconsider the Safari Web browser that was exploited to hack an iPhone in a matter of minutes at this year’s Pwn2Own contest.
As an interesting side note, Tavis Ormandy–the Google security researcher making the news for jumping the gun and publicly disclosing the Windows XP zero-day flaw after giving Microsoft only four days to analyze it–also discovered nine of the vulnerabilities addressed in this Adobe security update.
The fact that Ormandy reported the bugs to Adobe and allowed Adobe ample time to analyze and patch the flaws before making his discoveries public calls into question his motives with the Microsoft vulnerability. While the discrepancy may show where Ormandy’s loyalties lie, it shouldn’t be assumed that Google itself is related to the disclosures, or that there is any larger Google v. Microsoft conspiracy at play.
The vulnerabilities addressed by Adobe affect Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe AIR 220.127.116.1130 and earlier versions for Windows, Macintosh and Linux. IT administrators can get more details on the security issues from this Adobe security bulletin, and should update affected software as soon as possible.