If you listen to some of the security experts at last week’s Honeywell User Group conference, most said one of the top software attack points is through Adobe.
So it is no surprise hackers exploiting a just-patched Flash vulnerability, serving attack code “on a fairly large scale” from compromised sites as well as from their own malicious domains, a security researcher said.
The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second “out-of-band,” or emergency update, in nine days.
“CVE-2011-2110 is being exploited in the wild on a fairly large scale,” said Steven Adair, a researcher with the Shadowserver Foundation, a volunteer-run group that tracks vulnerabilities and botnets. “In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs [non-government organizations], aerospace companies, a Korean news site, an Indian government Web site, and a Taiwanese university.”
CVE-2011-2110 is the identifier for the Flash vulnerability assigned by the Common Vulnerabilities and Exposures database.
Attackers are also using the exploit in “spear phishing” attacks aimed at specific individuals, Adair said.
Adair called the attacks “nasty” because the exploit “happens seamlessly in the background,” giving victims no clue their systems suffered a compromise.
When Adobe patched the vulnerability last week, it said exploits were already in use.
Adair also said there’s been an increase in Flash-based attacks. “There has been an ongoing assault against Flash Player for several years now, but especially so in the last three months,” Adair said.
Adobe has patched Flash Player four times in the last two months, and six times so far this year. Of the six updates, five addressed “zero-day” bugs that attackers were already exploiting at the time the patches came out.
Brad Arkin, Adobe’s director of product security and privacy, acknowledged the problems in keeping ahead of attackers, but blamed the popularity of Flash Player for the attention.
“The installed base [of Flash Player] is a real big part of it,” said Arkin. “It’s such a widely distributed technology that attackers find it worthwhile to invest the time to carry out some kind of malicious activity. They’re making an investment for the biggest return possible.”
Arkin also said attackers get more bang for their buck by rooting out Flash vulnerabilities than they do looking for bugs in individual browsers because virtually every personal computer has the Flash plug-in installed. “Flash is the code [used in the browser] that has the highest market penetration,” he said.
Adair urged everyone to keep Flash Player up-to-date. “If you or your organization runs Adobe Flash and you’re not keeping up on these patches … you are in bad shape,” he said.
You can download the newest version of Flash Player from Adobe’s Web site. Alternately, users can run the program’s integrated update tool or wait for the software to prompt them that a patched edition is available.