Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Posted by Soulskill on from the something-to-be-said-for-consistency dept.

Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."

3 of 167 comments (clear)

  1. Re:Are there non-malicious uses? by tibit · · Score: 4, Informative

    People use Word documents to send freaking pictures around, because they don't know they can paste into Paint. They don't know how to send weblinks either, so they paste it into Word and send it on.

    --
    A successful API design takes a mixture of software design and pedagogy.
  2. Re:Huh? by benjymouse · · Score: 4, Informative

    Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content

    Why?

    Probably because of Windows sandboxing Flash through low-integrity mode. Even if you get to exploit a Flash vulnerability and execute your shell code on Windows, the code is still severely restricted in what it can do. Code executing inside of a low-integrity process can still not infect a system as write-ups (writing or interacting with a higher integrity object/process) are denied.

    They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).

    No, infecting with a Macro is more difficult since the last several versions of Word. Word will not automatically run macros and also has an internet-origin policy whereby documents received through Outlook or other email clients or downloaded using a browser is tainted with the "internet zone". You have to dismiss several warnings to run macros from such a document. But if Word will run Flash content (show the animation) and a vulnerability can be exploited, shell code can run as a user.

    That is, until Word 2010 which *also* runs in low-integrity when viewing content tainted with the internet zone. Since Word 2010 the shell code will still be confined to the low-integrity sandbox.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  3. Re:Die Flash, Die by Beorytis · · Score: 4, Informative

    Actually no. Although the term shares its origin with the ethnonym "Deutsch", in the local dialect of English spoken there, it's "Pennsylvania Dutch". Not idiots. Just not speaking your idiolect.