Adobe Systems issued a critical, out-of-cycle Flash Player update, addressing a serious vulnerability used in an advanced attack campaign.
The security update, issued by the software maker today, addresses vulnerabilities that could enable an attacker to take control of an affected system, the company said in its advisory. The firm gave its security update the highest priority rating. It impacts Flash Player running on Windows, Linux and Macintosh platforms.
Adobe also warned that the attacks using an exploit that targets the flaws were aimed at Windows users. The update comes a day after Microsoft issued an advisory warning about a targeted attack campaign that uses new zero-day vulnerabilities against Internet Explorer users. The Adobe attacks were first detected on April 14, according to Kaspersky Lab, which issued a report today analyzing the threat.
The firm believes the attack, which was first detected hosted on a website maintained by the Syrian Ministry of Justice, was designed to target Syrian dissidents complaining about the government.The specific attacks uncovered by Kaspersky Lab were "high caliber" and carefully planned, according to the company. They aren't likely to become widespread, but now that it has been made public, other criminals can attempt to target the flaws, impacting users that have not fully deployed the Adobe update, Kaspersky Lab said.
"It is possible that once information about this vulnerability becomes known, criminals would try to reproduce these new exploits or somehow get the existing variants and use it in other attacks," wrote Vyacheslav Zakorzhevsky, a Kaspersky Lab expert, in the firm's analysis of the threat. "Even with a patch available, cybercriminals would expect to profit from this vulnerability because a worldwide update of software as widely used as Flash Player will take some time. Unfortunately, this vulnerability will be dangerous for a while.”
The attack targets a Flash Player component that performs video and image processing, Zakorzhevsky said. The company detected an attack campaign using a malicious Shockwave Flash movie containing two exploits targeting the vulnerabilities. The attacks were detected over a three-day period from April 14 to April 16, Zakorzhevsky said.
The attacks used specific techniques to bypass security capabilities and gain access to specific data, Zakorzhevsky said. One of the two exploits uncovered by Kaspersky Lab researchers attempts to interact with Cisco MeetingPlace Express, an add-in capability used by web conference participants to view documents and images from a presenter's screen.
It's unlikely the targeted attacks will impact most businesses, but the threat of future attacks against Flash remains high, said solution providers. Adobe Flash, a highly targeted software component because of its widespread use, should be proactively addressed with patching products, said Ben Goodman, president of 4A Security, a managed security service and risk management consultancy based in New York.
Keeping end users up to date on patches should be a priority, but it is often a difficult process, Goodman said. In addition to products that tie into Microsoft's Windows Server Update Services patching mechanism, some organizations run TrendMicro's virtual patching solution, he said. "This is a strong solution because it pushes the patches out uniformly across an entire environment, generally much faster than other routes," Goodman said.
Meanwhile, the growth of HTML Version 5 is letting organizations eliminate Flash functionality altogether, said Chris Camejo, director of consulting and professional services at NTT Com Security. Camejo also pointed to technology vendors taking action to provide capabilities to restrict Java and Flash because of a rash of zero-day vulnerabilities, he said.
Apple, in particular, disabled Java over security concerns. In its Safari browser, Apple also lets the Flash plugin be allowed or disallowed on a site-by-site basis, Camejo said. "This feature, in particular, would provide the sort of granular control an IT organization would need in order to effectively manage client-side plugins like Flash; allow them for sites with a legitimate business need and disallow them everywhere else," Camejo said.
PUBLISHED APRIL 28, 2014