Adobe muzzles TWO zero-day wild things with emergency Flash patches
Critical block for active Win and Mac attacks
Agentless Backup is Not a Myth
Updated Adobe published a critical Flash Player update on Thursday that fixes not just one but two zero-day flaws, both under active attack by hackers.
Both Windows and Mac users are in the firing line. One of the vulnerabilities (CVE-2013-0633) is being harnessed in targeted attacks designed to trick marks into opening a Microsoft Word document email attachment that contains malicious Flash (SWF) content. The exploit targets the ActiveX version of Flash Player on Windows.
The second vulnerability (CVE-2013-0634) is designed to attack Safari and Firefox browser users on Macs. The assault involves malicious Flash (SWF) content delivered by a drive-by download-style attack from booby-trapped websites. The second vulnerability is also being abused to hack Windows machines using malicious Word attachments, again featuring malicious Flash content.
Users of Adobe Flash Player 11.5.502.146 and earlier for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149, as explained in an emergency bulletin by Adobe. The updates also cover Flash on Linux and for Android smartphones - although the need to update on those instances is not as pressing.
Users of Google Chrome and Internet Explorer 10 will get built-in Flash components updates automatically from Google and Microsoft, respectively.
Early indications don't shed much light on who is being attacked in the wild but the seriousness of the flaws and the potential for harm is beyond doubt. Exploitation of flaws in Adobe Flash, along with Java flaws, browser vulnerabilities and PDF exploits are among the most prevalent hacking tactics and have been for at least a couple of years. It's worth going through Adobe's irksome update process to apply these fixes. Patch now or risk getting pwned later. ®
Update: Exploit used to target aerospace industry
Security tools firm AlienVault reports that Microsoft Office files containing the exploit have cropped up in an spearphishing campaign targeting businesses in the aerospace industry, among others. One of these files uses an 2013 IEEE Aerospace Conference schedule as a lure.
Another sample containing the exploit is themed around information about an online payroll system that's primarily used in the US.
In both cases the booby-trapped Word .doc files contain an embedded flash file with no compression or obfuscation.
COMMENTS
Re: What The Holy FUCK ???
>Why on earth do they need a movie inside a text document ???
The whole idea is that a document doesn't need to know what kind of content is embedded in it- just to who to call to open it. This embedded document could be a spreadsheet, an image or a video- the host document doesn't know or care. This is an old concept.
That's the idea- obviously things don't always go smoothly when translated into practice.
Maybe your question should be- "how can any content inside a document be allowed to be damaging to the system"? but the line gets a bit fuzzy.... like the Sorcerer's Apprentice, powerful tools can be dangerous.
What The Holy FUCK ???
"to trick marks into opening a Microsoft Word document email attachment that contains malicious Flash (SWF) content."
As long as this insanity continues in the corporate world and M$FT, there is no hope for any real security. Why on earth do they need a movie inside a text document ???
Re: "Critical block for active Win and MAC attacks"
Mac = a brand of personal computer
MAC = Media Access Control [address]
Careful with that CapsLock, Eugene!
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
