Adobe Issues Further Hardening Of Flash In Emergency Update

Adobe Systems issued an emergency, out-of-band update on Wednesday, providing additional hardening to its Flash Player software from the possibility of attacks targeting flaws it repaired in an October update.

The update impacts users of Flash Player on Windows Macintosh and Linux. Adobe Flash Player installed on Google Chrome also will be updated to address the issue, the company said. The out-of-band update addresses attacks that can attempt to bypass the October fixes.

If an exploit is developed, it would be used in automated attack toolkits and likely target victims in drive-by attacks, according to security experts. The attacks also have been seen using an Internet Explorer Microsoft Office rendering engine to target the Flash Player weaknesses and compromise a victim’s machine.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

"These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution,’ Adobe said in its advisory.

It’s unclear why additional hardening is necessary, but updates are typically issued to address the potential of an attack or block ongoing attacks in the wild, said Tod Beardsley, a Metasploit engineering manager, at Boston-based Rapid7. ’It's nearly always in response to external activity around the bug being fixed,’ Beardsley said.

Adobe Flash remains a favorite target of attackers due to its widespread install base. Users often use outdated Flash Player browser components, leaving the software open to attack, said solution providers. Users of Google Chrome, Internet Explorer 10 and 11 will get an automatic update of Flash, according to Wolfgang Kandek, CTO of Qualys. Older browsers often require users to apply manual updates.

Common vulnerabilities, including those in widely used applications, are the entry point for data breaches, said Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group. While consumers may have reached breach fatigue due to the spate of high-profile data breaches in 2014, organizations are looking at employee training, addressing system weaknesses and shoring up mistakes that cause security lapses, Bruemmer told CRN.

’Despite all the technologies that are put in place, a lot of companies are falling to the human fallibility factor,’ Bruemmer said. ’The best thing organizations can do is focus on best practices and be prepared to respond appropriately when an incident happens.’

Microsoft issued a bevy of updates as part of its October Patch Tuesday, repairing 17 vulnerabilities in Internet Explorer, including issues directly related to Adobe Flash Player. Experts said the two software giants are responding to targeted attack campaigns that are exploiting the vulnerabilities via file attachments and in drive-by website attacks.

Earlier this month, Microsoft addressed several zero-day vulnerabilities believed to have been targeted by attackers known as the Sandworm cyberespionage group. The APT group targeted people at organizations in the United States, Poland, Ukraine and Western Europe.

PUBLISHED NOV. 25, 2014