Adobe's Releases Out-of-cycle Update To Address Cross-site Scripting Vulnerability In Flash Player

By Author: eccuni
Total Articles: 211
Comment this article

Cybercriminals constantly strive to identify and exploit security flaws in software products. Recently, Adobe released an out-of-cycle security update for Flash Player to mitigate a universal cross-site scripting flaw, which attackers are reportedly exploiting in the wild. The vendor has rated the vulnerability as important. Adobe rates those vulnerabilities as important, which enable attackers to compromise data, allow unauthorized access to confidential information, or compromise processing resources on a victim’s computer system. In this case, attackers entice users to click on a malicious link delivered in a specially crafted e-mail. The purpose of the attack is to steal log in credentials of online accounts. Usually, attackers use the extracted information to gain unauthorized access to online accounts or e-mail service on behalf of the user. In this case, attackers are reportedly exploiting the automatic forwarding feature in Gmail accounts, to gain unauthorized access. When users click on the given link and visit a malicious website, while still being logged on to e-mail account, the attackers address is added to ...
... the user's account. Attackers may come up with different variants and also target other web mail services.

The security update applies to Flash Player 10.3.181.16 and prior versions for Windows, Macintosh, Linux and Solaris users. Google has updated Chrome stable channel to provide protection against the latest vulnerability. The zero-day vulnerability also affects Flash Player 10.3.185.22 and prior versions for Android. The vendor expects to deliver a Flash player update for Android users in the coming days.

Adobe products are one of the popular targets of cybercriminals. Software products are prone to vulnerabilities caused by programming errors, human error, and wrong assumptions on user usage and environment among others. Usually, professionals qualified in penetration testing test the strength of the products and identify vulnerabilities. In this case, security researchers at Google identified and alerted Adobe on the vulnerability.

Security researchers have advised users to immediately update to the latest version to prevent attackers from exploiting the vulnerability. Users must verify the authenticity of the e-mails, before disclosing any information. They must avoid clicking on suspicious links in e-mails and those coming from dubious sources. Attackers may send specially crafted e-mails with enticing subject lines. E-mails arriving from scammers may also contain attachments. Users must be wary of downloading e-mail attachments arriving from unknown sources, attachments with suspicious file names, with risky extensions, and files with double extensions.

Attackers are allegedly actively exploiting the vulnerability by launching target-based attacks. Targeted attacks on employees of an organization may lead to disclosure of privileged information. Employees may open files or click on links in e-mails, as they appear to come from a legitimate source, and inadvertently provide unauthorized access to corporate accounts. Security blogs, e-learning and online computer degree programs may help employees to gain insights on latest security threats, precautionary measures and security guidelines.

Professionals qualified in IT masters degree or computer science degree may facilitate timely identification and application of requisite security updates. Developers must regularly evaluate software products to detect and mitigate security flaws.

Professionals may benefit from online technology degree programs to get acquainted with latest technological developments and bring improvements in software products.