Feeds

Adobe muzzles TWO zero-day wild things with emergency Flash patches

Critical block for active Win and Mac attacks

Protecting against web application threats using SSL

Updated Adobe published a critical Flash Player update on Thursday that fixes not just one but two zero-day flaws, both under active attack by hackers.

Both Windows and Mac users are in the firing line. One of the vulnerabilities (CVE-2013-0633) is being harnessed in targeted attacks designed to trick marks into opening a Microsoft Word document email attachment that contains malicious Flash (SWF) content. The exploit targets the ActiveX version of Flash Player on Windows.

The second vulnerability (CVE-2013-0634) is designed to attack Safari and Firefox browser users on Macs. The assault involves malicious Flash (SWF) content delivered by a drive-by download-style attack from booby-trapped websites. The second vulnerability is also being abused to hack Windows machines using malicious Word attachments, again featuring malicious Flash content.

Users of Adobe Flash Player 11.5.502.146 and earlier for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149, as explained in an emergency bulletin by Adobe. The updates also cover Flash on Linux and for Android smartphones - although the need to update on those instances is not as pressing.

Users of Google Chrome and Internet Explorer 10 will get built-in Flash components updates automatically from Google and Microsoft, respectively.

Early indications don't shed much light on who is being attacked in the wild but the seriousness of the flaws and the potential for harm is beyond doubt. Exploitation of flaws in Adobe Flash, along with Java flaws, browser vulnerabilities and PDF exploits are among the most prevalent hacking tactics and have been for at least a couple of years. It's worth going through Adobe's irksome update process to apply these fixes. Patch now or risk getting pwned later. ®

Update: Exploit used to target aerospace industry

Security tools firm AlienVault reports that Microsoft Office files containing the exploit have cropped up in an spearphishing campaign targeting businesses in the aerospace industry, among others. One of these files uses an 2013 IEEE Aerospace Conference schedule as a lure.

Another sample containing the exploit is themed around information about an online payroll system that's primarily used in the US.

In both cases the booby-trapped Word .doc files contain an embedded flash file with no compression or obfuscation.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.