Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.
“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.
Microsoft Internet ExplorerAlthough all editions of Flash Player contain the vulnerability and should be patched, the active exploit is targeting only users of Microsoft’s Internet Explorer (IE).
Flash Player for IE is an ActiveX plug-in, the Microsoft-only standard; other browsers, including Firefox and Chrome, use a different plug-in structure.
The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.
Adobe disclosed relatively few details about the vulnerability — its usual practice — other than to label it an “object confusion vulnerability,” note the Common Vulnerabilities Exposures ID of CVE-2012-0779, and acknowledge that triggering the bug “could cause the application to crash and potentially allow an attacker to take control of the affected system.”
It’s unclear how extensive the active attacks are, although Adobe’s calling them “targeted” hints at a low volume of attempts aimed at specific individuals or companies.
Today’s Flash Player update was the fourth this year — the latest before Friday was on March 28 — putting the frequently-patched program on about the same pace as last year, when Adobe issued a total of nine Flash security updates.
In March, Adobe addressed the frequent updating pain point — at least for Windows users — by shipping Flash Player 11.2, which uses a silent, background update mechanism. The silent update is supposed to kick in in some situations to automatically patch the plug-in in IE, Firefox, Safari and Opera on Windows without notifying or bothering users.
At the time, Adobe said it would switch on silent updates ” on a case-by-case basis,” but hinted that the service would primarily be used to distribute patches for zero-day vulnerabilities, such as today’s.
Friday, Adobe confirmed that it has, in fact, enabled Flash silent updates for Windows in this instance.
A Computerworld Windows 7 system, however, was not silently updated to 220.127.116.11, the patched version, within an hour of booting the PC, the interval the tool uses to check for new updates. Adobe was unable to explain the problem, other than to suggest an initial failure by those browsers to connect to its servers. In that case, the silent updater is designed to stop pinging Adobe for 24 hours before resuming.
The current stable version of Chrome — Google’s browser is the only one that includes the Adobe software in its updates — reports running the patched 18.104.22.168 edition of Flash Player. Google shipped that version of Chrome, 18.0.1025.168, on Monday, April 30, giving it a four-day jump on Adobe’s plug-in patching.
It was Chrome’s largest-ever lead: previously, Google has beaten Adobe to Flash Player patching by hours, or at most a day.
Adobe today again explained Chrome’s faster Flash patching by noting that it hands Flash updates to Google as “soon as we updated the code,” but needs more time on its part to test fixes on scores of operating system and browser combinations before it’s confident enough to ship the update to all users.
Microsoft’s vulnerability research group reported the Flash vulnerability to Adobe.
The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe’s website. Windows users can wait for the silent updater to kick in, run Flash’s update tool or wait for the software to prompt them that a new version is available.
Android users will be able to download the new version from Google Play, formerly the Android Market, later today, said Adobe.
To determine which version of Flash Player is running in any particular browser, users can steer to this Adobe page.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is email@example.com
The v8 flaw was discovered by security researcher Christian Holler, who was award $1,000 by Google for reporting the issue.
The Chrome Stable 15.0.874.121 update is the second security update from Google for Chrome in a week. On November 10, Google released Chrome Stable 15.0.874.120, fixing seven flaws, five marked as being high impact.
Over the short life of the Chrome 15 browser so far, Google has been very active. The first stable release of Chrome 15 came out at the end of October. The first release fixed over 27 flaws in Chrome, with Google paying out a record $26,511 in rewards to security researchers.
Google paid out a record £16,215 ($26,511) in bug bounties to researchers who reported some of the 18 Chrome vulnerabilities patched today.
The company also upgraded the stable version of the browser to version 15, which sports a revamped New Tab page.
Google last refreshed Chrome on 16 September, just over five weeks ago. Google produces an update to its “stable” channel about every six weeks, a practice that rival Mozilla copied with the debut of Firefox 5 last June.
Eleven of the 18 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s scoring system, while three were tagged “medium” and another four were marked “low.”
Google paid £16,215 in bounties, a record, to four researchers, including £8,528 ($13,674) to Sergey Glazunov and £6,447 ($10,337) to “miaubiz,” a pair of regular Chrome vulnerability finders who together have accounted for 57 percent of all bug payments this year. Google has laid out over £106,018 ($170,000) in bounties so far during 2011.
The previous bounty record, set more than two months ago, was £10,602 ($17,000).
Glazunov and miaubiz collected their five-figure checks for reporting multiple bugs that Google then combined into one CVE (Common Vulnerabilities Exposures) identifier.
Glazunov, for example, was awarded £7,575 ($12,147) for five bugs that Google named only as “cross-origin policy violations” and pooled under a single CVE in its typically terse description.
Miaubiz, meanwhile, was paid £3,952 ($6,337) for one CVE that actually contained six different bugs tracked by Google in its change database.
As is its habit, Google barred access to the bug tracker database for all the vulnerabilities to prevent outsiders from obtaining details on the flaws.
Most of the bugs uncovered by miaubiz, said Google, were discovered using the company’s memory error detection tool, AddressSanitizer, that it released in June.
AddressSanitizer can detect a variety of errors, including “use-after-free” memory management bugs like the ones reported by miaubiz.
Google also said it updated Chrome to stymie BEAST, for “Browser Exploit Against SSL/TLS,” a hacking tool released last month that attacks browsers and decrypts cookies, potentially giving attackers access to encrypted website log-on credentials.
Previously, Google had added anti-BEAST protection to Chrome’s “dev” and “beta” channels, the rougher-edged versions that precede the stable build.
Microsoft has promised to patch Windows so that its Internet Explorer isn’t vulnerable to BEAST’s attacks, but has not set a timetable.
Chrome 15′s most obvious change, however, is the redesigned New Tab page that appears when users click the right-most tab at the top of the browser’s window or press the Ctrl-T key combination.
The new format offers easier navigation between online apps and most-used websites, the ability to organize apps by dragging and dropping, and a simpler way to remove apps or site from the screen.
Chrome 15 can be downloaded for Windows, Mac OS X and Linux from Google’s Web site. Users already running the browser will be updated automatically via the browser’s behind-the-scenes service.