Adobe Systems Inc. issued a high-priority security update for its ubiquitous Flash Player software, repairing seven critical vulnerabilities, including a cross-site scripting (XSS) flaw it truly is being actively targeted in phishing attacks against Internet Explorer users.
There are reports that this vulnerability is being exploited inside the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.Adobe Systems Inc.
The Adobe XSS flaw affects the Flash Player browser plug-in component and all browsers, but ongoing phishing attacks appear like affecting IE users. It is usually used “to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website,†Adobe said in a safety bulletin issued Wednesday.
“There are reports that this vulnerability is being exploited within the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only),†Adobe said.
XSS is a standard technique utilized by attackers and is included in plenty of automated exploit toolkits. An XSS flaw enables an attacker to apply malicious JavaScript to trick a browser component into giving up sensitive information. It is utilized in the 1st stage of an attack after which can provide the hacker the power to take advantage of other flaws or upload additional malware onto a victim's machine. Experts say XSS coding errors are the various commonest and unfortunately the main difficult to forestall attackers from exploiting.
The six other flaws include numerous memory corruption and security bypass errors. “These vulnerabilities may cause a crash and potentially allow an attacker to take control of the affected system,†Adobe said.
The update affects users of Adobe Flash Player on Windows, Macintosh, Linux and Solaris systems, in addition to Flash Player for Google Android devices.
Adobe have been slowly building protections around its Flash Player plug-in. The corporate has sandboxing features for Google Chrome users. Last week, Adobe issued a beta version of Flash Player sandbox for Firefox users. Sandboxing makes it tougher for attackers to damage out of Flash Player and gain access to other critical systems and components on a victim's machine.
Shockwave Player update
The Flash Player update is the second one security bulletin issued by Adobe this week. On Tuesday, the software maker issued an update to its Shockwave Player, repairing eight vulnerabilities. The update affects users of Shockwave Player 11.6.3.633 and earlier versions on Windows and Macintosh machines.
Adobe said the critical update repairs a number of memory corruption vulnerabilities and a heap overflow flaw which may result in remote code execution. “These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code at the affected system,†Adobe said.
“While not quite as popular as Adobe Flash, it has an enormous installed base and has seen its share of use in Web-based attacks,†said Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc.
Nessun commento:
Posta un commento
Comments links could be nofollow free