Adobe Flash hit by new zero-day flaw -- needs patching

TrendLabs has warned of a new problem affecting Adobe’s Flash product. “This is a serious situation that affects nearly everyone using Microsoft Windows,” the security company said. A new vulnerability affecting Adobe’s Flash product on Microsoft Windows. This vulnerability or flaw can be used by attackers to run code or programmes on users Windows computer as if they ran it. Anything user can do on their computer the attacker’s programme can do. In a worst case like this, they can load malware on user’s computer. [caption id=“attachment_1250037” align=“alignleft” width=“380”]  Adobe company logos are seen in this picture illustration taken in Vienna July 9, 2013. Picture taken July 9, 2013. Reuters[/caption] “Vulnerabilities are found all the time. But usually vulnerabilities are fixed with a patch when they’re found, before attackers can target them. As long as you keep your system up-to-date, you’re protected against most vulnerabilities. What makes this situation serious is that researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been attacking it before a patch is available: this kind of situation is called a “zero-day” situation, because defenders have “zero days” to protect against attacks. This means even if you keep your system up-to-date, you’re still at risk of attack until Adobe releases a patch,” said Dhanya Thakkar, Managing Director, India & SEA, Trend Micro. What makes this situation more serious is that the attacks we’ve seen are using banner ads (called “malvertisements”) to spread malware. This means that users can go to trusted sites they expect to be safe and still get malware on their system. These attacks work by attackers targeting and compromising the third-party ad servers that offer the ads you see on legitimate and popular sites. This is a particularly nasty form of attack, one that puts average users at great risk. The situation is even more serious because this vulnerability is being used by what we call an “exploit kit”: a tool that cyber-criminals make and sell to other cyber-criminals so they can carry out attacks. An exploit kit spreads attacks much more widely. This particular vulnerability is being used in the “Angler” exploit kit. “Taken all together, this means that this is a vulnerability that can be widely attacked. It’s a potentially very serious situation that everyone running Microsoft Windows should be aware of.” Right now, there’s no indication that attackers are targeting Adobe Flash on other platforms like the Mac or Android. If you use these platforms, though, you should make sure you’re running security software and apply any patches from Adobe as soon as possible. What should you do about it? Two most important things users can do to protect their system when they’re online is: keep their system and programmes up-to-date and run a mature, full-featured security package. “In this case, because it’s a zero-day situation, step #1 won’t protect you. We’re still waiting for a patch from Adobe for this.”