June 13, 2010
Adobe Systems has released an update last week to the popular Flash browser plug-in to address vulnerabilities that have been targeted by a "0-day" attack, as reported by the SANS Internet Storm Center. The exploits also affect Adobe Reader and Acrobat 9.1.2, which both use the Flash Player to animate videos embedded into PDF files.
Vulnerabilities in applications such as Adobe Acrobat and its related product line are not readily patched by operating system updates (such as Microsoft AutoUpdate), and represent an open pathway to computer exploit. According to the IBM X-Force 2009 Trend and Risk Report, the number one web-based exploit was against the Microsoft Office Web Components Spreadsheet ActiveX, and then then next 4 of the top 5 involved Adobe Acrobat, Adobe Reader, and Adobe Flash Player. The most pressing threat to the user is in malicious Flash videos or compromised web sites that use Flash for banners. Here is a Flash video from Symantec that explains the "drive-by" attack.
The university community makes extensive use of Adobe Flash, and this problem is significant in that it affects Windows, MacOS, and linux platforms. The Adobe Flash Player release version 10.1 is available and recommended for all users at the Adobe update site. Systems administrators are advised to plan to push an update as soon as you complete your testing of version 10.1.
Posted by Thomas Siu at 11:14 PM