How can anyone stay on top of all the attack vectors on a Windows computer? Every machine I touch these days, never gets consistently updated, especially if it is a personal computer. Today I find that Adobe pushes an unscheduled security update.

“As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.“

Also, this just in. “Software maker Adobe Systems has launched Flash Player 11 and Adobe AIR 3 even as the industry is shifting to HTML 5 on the Web that lessens the reliance of developers on Flash.” Flash Player 11 and AIR 3 are scheduled for release in early October. Adobe didn’t give the date, but you should expect release at Adobe’s annual Max conference, between 1 and 5 October. Both support full hardware acceleration for 2D and 3D graphics, which Adobe claims provides rendering performance 1,000 times faster than Flash Player 10 and AIR 2.

Do you know what Flash version you have installed? No? Then use Adobe’s version test page. You can also check here.

Once you have the current version, you may also wish to adjust your configuration. Flash’s settings are rather curious as the controls themselves aren’t located on the computer but are instead accessed through a Flash object hosted by Adobe.

Adobe: “The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer.”

Right-clicking a Flash object and selecting “Global Settings” opens a page to Adobe’s Flash Player Settings Manager.

Just as flaws in the ubiquitous Adobe Flash were exploited to infiltrate RSA Security and compromise the encryption keys used in RSA’s SecurID two-factor authentication tokens, Flash may also have been the Achilles heel of Diginotar.

Adobe Flash is nearly universal. With Adobe Flash Player software and browser plug-ins available for virtually every operating system and browser, this zero-day flaw could potentially impact 90 to 95 percent of the PCs in the world.

Andrew Storms, director of security operations for nCircle, connects the dots. “Adobe said that today’s bug ‘could be used to act on the user’s behalf with webmail providers.’ I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user’s Gmail account.”

I implore you to patch Flash as soon as possible.

This entry was posted on Thursday, September 22nd, 2011 at 02:35 by dsmith and is filed under Adobe, Adobe Air, Adobe Flash, Attack, Exploit, HTML5, Patch, Security, Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed.