Exploits target new Adobe Flash bug

Share this article:
Updated Tuesday, May 27 at 4:42 p.m. EST.

Symantec on Tuesday revealed that the latest version of the Adobe Flash Player contains an unpatched vulnerability that is being actively exploited.

Oliver Friedrichs, director of Symantec Security Response, told SCMagazineUS.com on Tuesday that some 20,000 web pages were compromised via SQL injection to redirect visitors to one of three China-based domains serving up exploit code.

The threat is new, so researchers have yet been unable to determine how victims are arriving at the redirects or what the payload entails, Friedrichs said. But, it appears, once they reach one of the infected web pages, no user interaction is required for exploitation.

"It's as bad as you can get," he said of the drive-by-download technique.

According to the SANS Internet Storm Center, which broke news of the incident, the vulnerability affects version 9.0.124.0 and earlier installments.

An Adobe representative said the company was investigating.

"We are aware of today's report of a Flash Player exploit in the wild," Sandy Lo, an Adobe spokeswoman, told SCMagazineUS.com in an email. "We are working with Symantec to investigate the potential SWF [the Flash file format] vulnerability and will have an update once we get more information."

Friedrichs said Flash Player is a built-in component to most web browsers.

"It's (Flash) really inherent to many websites today," he said.

In lieu of a fix, corporate IT administrators should consider disabling Flash by setting the kill-bit on the application, or uninstalling Flash, Friedrichs said. In additions, users should be discouraged from visiting untrusted sites.

Turning off Flash will make the web a less desirable place to visit, - for example, users will be unable to view YouTube videos - but it will make it more secure, he said.

"Do you want to become infected or do you want to protect your environment?" Friedrichs said.

Last month, Adobe issued a new version of Flash to close seven vulnerabilities that, if exploited, could have permitted cross-site scripting attacks or system takeover.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

U.S. under cyber attack, losing ground to adversaries

In testimony to a Senate committee, cyber experts said the U.S. has fielded 600,000 attacks this year.

Researchers in China work on facial recognition payment app

The app is expected to be launched next year.

Mobile app study reveals privacy concerns

Mobile app study reveals privacy concerns

Of the more than 1,200 mobile apps that were assessed in a recent study, 75 percent requested one or more permissions.