Adobe Flash hit by new zero-day flaw -- needs patching

Anything user can do on their computer the attacker’s programme can do. In a worst case like this, they can load malware on user's computer.

FP Staff January 23, 2015 17:56:19 IST
Adobe Flash hit by new zero-day flaw -- needs patching

TrendLabs has warned of a new problem affecting Adobe's Flash product. "This is a serious situation that affects nearly everyone using Microsoft Windows," the security company said.

A new vulnerability affecting Adobe's Flash product on Microsoft Windows. This vulnerability or flaw can be used by attackers to run code or programmes on users Windows computer as if they ran it. Anything user can do on their computer the attacker’s programme can do. In a worst case like this, they can load malware on user's computer.

Adobe Flash hit by new zeroday flaw  needs patching

Adobe company logos are seen in this picture illustration taken in Vienna July 9, 2013. Picture taken July 9, 2013. Reuters

“Vulnerabilities are found all the time. But usually vulnerabilities are fixed with a patch when they’re found, before attackers can target them. As long as you keep your system up-to-date, you’re protected against most vulnerabilities. What makes this situation serious is that researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been attacking it before a patch is available: this kind of situation is called a “zero-day” situation, because defenders have “zero days” to protect against attacks. This means even if you keep your system up-to-date, you’re still at risk of attack until Adobe releases a patch,” said Dhanya Thakkar, Managing Director, India & SEA, Trend Micro.

What makes this situation more serious is that the attacks we’ve seen are using banner ads (called “malvertisements”) to spread malware. This means that users can go to trusted sites they expect to be safe and still get malware on their system. These attacks work by attackers targeting and compromising the third-party ad servers that offer the ads you see on legitimate and popular sites. This is a particularly nasty form of attack, one that puts average users at great risk.

The situation is even more serious because this vulnerability is being used by what we call an “exploit kit”: a tool that cyber-criminals make and sell to other cyber-criminals so they can carry out attacks. An exploit kit spreads attacks much more widely. This particular vulnerability is being used in the “Angler” exploit kit.

"Taken all together, this means that this is a vulnerability that can be widely attacked. It’s a potentially very serious situation that everyone running Microsoft Windows should be aware of."

Right now, there’s no indication that attackers are targeting Adobe Flash on other platforms like the Mac or Android. If you use these platforms, though, you should make sure you’re running security software and apply any patches from Adobe as soon as possible.

What should you do about it?

Two most important things users can do to protect their system when they’re online is: keep their system and programmes up-to-date and run a mature, full-featured security package. "In this case, because it’s a zero-day situation, step #1 won’t protect you. We’re still waiting for a patch from Adobe for this."

Updated Date:

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.

also read

Tokyo Olympics 2020: Organisers on alert for cyberattacks as alleged Russian plot revealed
Sports

Tokyo Olympics 2020: Organisers on alert for cyberattacks as alleged Russian plot revealed

Tokyo 2020 officials said they had taken a range of countermeasures against digital attacks but did not disclose details, citing security concerns.

Google rolls out Chrome and Chrome OS update to fix 'zero day' security threat
News & Analysis

Google rolls out Chrome and Chrome OS update to fix 'zero day' security threat

An internal security team of Google, Project Zero, found the bug and released the security patch, the version 86.0.4240.111, on 20 October.