Patch/Configuration Management, Vulnerability Management

Exploits target new Adobe Flash bug

Updated Tuesday, May 27 at 4:42 p.m. EST.

Symantec on Tuesday revealed that the latest version of the Adobe Flash Player contains an unpatched vulnerability that is being actively exploited.

Oliver Friedrichs, director of Symantec Security Response, told on Tuesday that some 20,000 web pages were compromised via SQL injection to redirect visitors to one of three China-based domains serving up exploit code.

The threat is new, so researchers have yet been unable to determine how victims are arriving at the redirects or what the payload entails, Friedrichs said. But, it appears, once they reach one of the infected web pages, no user interaction is required for exploitation.

"It's as bad as you can get," he said of the drive-by-download technique.

According to the SANS Internet Storm Center, which broke news of the incident, the vulnerability affects version and earlier installments.

An Adobe representative said the company was investigating.

"We are aware of today's report of a Flash Player exploit in the wild," Sandy Lo, an Adobe spokeswoman, told in an email. "We are working with Symantec to investigate the potential SWF [the Flash file format] vulnerability and will have an update once we get more information."

Friedrichs said Flash Player is a built-in component to most web browsers.

"It's (Flash) really inherent to many websites today," he said.

In lieu of a fix, corporate IT administrators should consider disabling Flash by setting the kill-bit on the application, or uninstalling Flash, Friedrichs said. In additions, users should be discouraged from visiting untrusted sites.

Turning off Flash will make the web a less desirable place to visit, - for example, users will be unable to view YouTube videos - but it will make it more secure, he said.

"Do you want to become infected or do you want to protect your environment?" Friedrichs said.

Last month, Adobe issued a new version of Flash to close seven vulnerabilities that, if exploited, could have permitted cross-site scripting attacks or system takeover.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.