It’s like a nasty child; it keeps on acting up. Of course, it’s because it is being attacked from the outside, but still, if it was not vulnerable…
In what’s become an all-too-familiar refrain, Adobe has released yet another security bulletin, APSA 10-03, giving very few details about a new zero-day hole in Flash. The hole apparently exists not only on Windows systems, but also Mac, Linux, Solaris, and Android.
The zero-day security flaw “could cause a crash and potentially allow an attacker to take control of the affected system.” Adobe further advises, “There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.”
In a different twist, the same security hole also bedevils Adobe’s Acrobat and Reader, according to Adobe, leaving them both exposed to the same kind of exploit. Blame the Flash player embedded in Reader.
Adobe says it plans to have a fix available for Flash during the week of Sept. 27.
Companies like Microsoft and Adobe tend to put the same flaws in products, yet only fix flaws as they are revealed. If that were not the case, we would not see the same mistakes repeated, and exploited, over time.
It begins to make me wonder if the unethical hackers may actually be the better coders, as they always seem to find the flaws, and though the fixes are applied, they continue to find ways in.
The company also says it’ll be able to patch Acrobat and Reader the week of Oct. 4. According to security bulletin APSA 10-02, that’s the same time Adobe promises to have a fix for the Acrobat and Reader zero day I talked about last week in my Tech Watch post “Dangerous Adobe Reader zero-day raises the bar.” It leaves me wondering how the two are related.
Adobe’s playing this one very close to the chest — I’ve seen no details about the hole on any of the usual hacking sites. The security bulletin says, “Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available.” It could be — but if true, none of that information has leaked, at least as of this writing.
The authoritative SANS Internet Storm Center doesn’t pull any punches:
Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup
Flash — it’s the player that keeps on giving.
All of this brouhaha, and still no word of Adobe Reader 10. Why? Don’t these people write code for a living? (as in that is job #1?) Where is that help from Microsoft?
Though that will not directly help Flash, something gleaned from the fix of Reader should spark the minds of those coding, to give them a way to get outside the box, the way the malware writers do. It is only that kind of thinking that will be able to end this never ending stream of successful attacks on the Adobe products.
I remember when Adobe Acrobat Reader was first being pushed out as a standard. There was a competitor from Novell that purported to do the same things, but was put aside when Novell started having its long list of now legendary problems. Perhaps it is time to bring that code out of mothballs, and do a little updating. Reader could certainly use some competition. Competition that works from a completely different codebase.
Perhaps Adobe Acrobat Reader (and of course, Flash, as it is what brought us here today) does not deserve to survive.
Where Adobe products are not exploited weekly, and the skies are not cloudy all day!