• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Early Adobe Flash Update Plugs Zero Day Vulnerability: Reader Update Due Week of October 4

September 22, 2010 By The Editor

Summary:

  • This vulnerability affects: Adobe Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris. Also affects Flash Player 10.1.92.10 for Android.
  • How an attacker exploits it: By enticing your users to a malicious website
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Flash Player 10.1.85.3 (or 10.1.95.1 for Android) immediately, or let Adobe’s Updater do it for you

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia claims that 99% of Windows computers have Adobe Flash Player installed, so your users very likely have it.

Yesterday, Adobe released a security bulletin describing an update that fixes a serious zero day vulnerability in Flash Player, which attackers are exploiting in the wild. We first warned you of this zero day vulnerability in an early Wire post last week. The vulnerability affects Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris, as well as Flash Player 10.1.92.10 for Android. Originally, Adobe planned to release a patch for this vulnerability on September 27 (as mentioned in our Wire post). However, they have released the update early, likely due to the flaw’s severity.

Adobe’s bulletin doesn’t describe the critical vulnerability (CVE-2010-2884) in any technical detail. They only say that an attacker can exploit it to cause a crash and execute code on a victim’s computer, potentially gaining full control of it. Like most Flash vulnerabilities, an attacker would first have to entice you to a web page containing malicious Flash content to leverage this flaw. Attackers are currently exploiting this Flash vulnerability in the wild, so you will want to patch it immediately

Adobe also warns that this flaw affects Reader as well. However, they do not plan to release the Reader patch until the week of October 4. They claim attackers haven’t begun leveraging the Reader version of the vulnerability in the wild yet. Nonetheless, we will alert you as soon as they release the Reader update.

Solution Path

To correct this vulnerability, Adobe has released Flash Player 10.1.85.3 for Windows, Mac, Linux and Solaris, as well as Flash Player 10.1.95.1 for Android (link points to Android Marketplace). You should download and deploy the corresponding update immediately, or let the Adobe Software Updater program do it for you.

Note to Google Chrome users: Chrome comes with the Flash Player built into the browser, so simply upgrading Flash is not enough to fix this vulnerability. If you use Google Chrome, you should download and install Chrome 6.0.472.62 to fix this issue.

For All Users:

Attackers exploit these flaws via normal looking HTTP traffic, which most administrators must allow. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

  • APSB10-22: Adobe Flash Player Security Update

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Zero day exploit

Comments

  1. Selvakumaran says

    May 20, 2012 at 12:24 pm

    d0šd1ƒd0bbd1Œd0bdd1‹d0b9d0b5 d1‚d1€d0b5d0bad0b8! | d0’d181d1‘ d0b7d0b4d0b5d181d1Œ! I was suggested this blog by my coiusn. I am not sure whether this post is written by him as no one else know such detailed about my problem. You are incredible! Thanks! your article about d0šd1ƒd0bbd1Œd0bdd1‹d0b9d0b5 d1‚d1€d0b5d0bad0b8! | d0’d181d1‘ d0b7d0b4d0b5d181d1Œ!Best Regards Veronica

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use