Exploits target new Adobe Flash bug

Share this article:
Updated Tuesday, May 27 at 4:42 p.m. EST.

Symantec on Tuesday revealed that the latest version of the Adobe Flash Player contains an unpatched vulnerability that is being actively exploited.

Oliver Friedrichs, director of Symantec Security Response, told SCMagazineUS.com on Tuesday that some 20,000 web pages were compromised via SQL injection to redirect visitors to one of three China-based domains serving up exploit code.

The threat is new, so researchers have yet been unable to determine how victims are arriving at the redirects or what the payload entails, Friedrichs said. But, it appears, once they reach one of the infected web pages, no user interaction is required for exploitation.

"It's as bad as you can get," he said of the drive-by-download technique.

According to the SANS Internet Storm Center, which broke news of the incident, the vulnerability affects version and earlier installments.

An Adobe representative said the company was investigating.

"We are aware of today's report of a Flash Player exploit in the wild," Sandy Lo, an Adobe spokeswoman, told SCMagazineUS.com in an email. "We are working with Symantec to investigate the potential SWF [the Flash file format] vulnerability and will have an update once we get more information."

Friedrichs said Flash Player is a built-in component to most web browsers.

"It's (Flash) really inherent to many websites today," he said.

In lieu of a fix, corporate IT administrators should consider disabling Flash by setting the kill-bit on the application, or uninstalling Flash, Friedrichs said. In additions, users should be discouraged from visiting untrusted sites.

Turning off Flash will make the web a less desirable place to visit, - for example, users will be unable to view YouTube videos - but it will make it more secure, he said.

"Do you want to become infected or do you want to protect your environment?" Friedrichs said.

Last month, Adobe issued a new version of Flash to close seven vulnerabilities that, if exploited, could have permitted cross-site scripting attacks or system takeover.
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.