Summary:
- This vulnerability affects: Adobe Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris. Also affects Flash Player 10.1.92.10 for Android.
- How an attacker exploits it: By enticing your users to a malicious website
- Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
- What to do: Install Flash Player 10.1.85.3 (or 10.1.95.1 for Android) immediately, or let Adobe’s Updater do it for you
Exposure:
Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia claims that 99% of Windows computers have Adobe Flash Player installed, so your users very likely have it.
Yesterday, Adobe released a security bulletin describing an update that fixes a serious zero day vulnerability in Flash Player, which attackers are exploiting in the wild. We first warned you of this zero day vulnerability in an early Wire post last week. The vulnerability affects Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, and Solaris, as well as Flash Player 10.1.92.10 for Android. Originally, Adobe planned to release a patch for this vulnerability on September 27 (as mentioned in our Wire post). However, they have released the update early, likely due to the flaw’s severity.
Adobe’s bulletin doesn’t describe the critical vulnerability (CVE-2010-2884) in any technical detail. They only say that an attacker can exploit it to cause a crash and execute code on a victim’s computer, potentially gaining full control of it. Like most Flash vulnerabilities, an attacker would first have to entice you to a web page containing malicious Flash content to leverage this flaw. Attackers are currently exploiting this Flash vulnerability in the wild, so you will want to patch it immediately
Adobe also warns that this flaw affects Reader as well. However, they do not plan to release the Reader patch until the week of October 4. They claim attackers haven’t begun leveraging the Reader version of the vulnerability in the wild yet. Nonetheless, we will alert you as soon as they release the Reader update.
Solution Path
To correct this vulnerability, Adobe has released Flash Player 10.1.85.3 for Windows, Mac, Linux and Solaris, as well as Flash Player 10.1.95.1 for Android (link points to Android Marketplace). You should download and deploy the corresponding update immediately, or let the Adobe Software Updater program do it for you.
Note to Google Chrome users: Chrome comes with the Flash Player built into the browser, so simply upgrading Flash is not enough to fix this vulnerability. If you use Google Chrome, you should download and install Chrome 6.0.472.62 to fix this issue.
For All Users:
Attackers exploit these flaws via normal looking HTTP traffic, which most administrators must allow. Therefore, installing Adobe’s updates is your most secure course of action.
Status:
Adobe has released patches that correct these vulnerabilities.
References:
- APSB10-22: Adobe Flash Player Security Update
This alert was researched and written by Corey Nachreiner, CISSP.