We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Adobe confirms new zero-day Flash bug

Patches Google-reported XSS flaw hackers now exploiting in targeted attacks

Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).

"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update. "There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."

The attack only works against IE.

Adobe said the other six vulnerabilities, all rated critical like the XSS bug, were memory corruption flaws or security bypass bugs that "could cause a crash and potentially allow an attacker to take control of the affected system."

Google was credited with notifying Adobe of the XSS vulnerability, but Adobe did not note when Google filed the bug report or how long attackers have been exploiting the bug.

To patch the vulnerabilities, Adobe updated Flash Player 11 and Flash Player 10 on Windows, Mac OS X, Linux and Solaris, and Flash Player on Android.

Also on Wednesday, Google updated Chrome to offer the newly-patched Flash to its users. Google has packaged Flash Player with Chrome since April 2010, and remains the only browser that contains its own copy of Flash Player.

Last week, Adobe confirmed that its next target for a "sandboxed" Flash Player would be he plug-in for Internet Explorer, a defense that, if already implemented, should have stopped the current exploits in their tracks.

Adobe finished a sandboxed Flash for Chrome in 2010, and has just launched a beta of sandboxed Flash for Mozilla's Firefox on Windows Vista and Windows 7.

Wednesday's Flash update was the first this year for the media player, but the software has required aggressive patching: In 2011, Adobe fixed Flash flaws nine different times.

The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe's website. Alternately, users can run Flash's update tool or wait for the software to prompt them that a new version is available.

Android users can retrieve the new version from the Android Market .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is [email protected] .

Read more about security in Computerworld's Security Topic Center.

IDG UK Sites

Spotify launches on PS4 as Tidal arrives on Sonos: It's Tidal vs Spotify music streaming

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

Adobe Comp CC iPad app review

IDG UK Sites

April Fool's Day pranks: play these geeky pranks on April Fools Day and fool your friends