Adobe

Adobe Systems released emergency security updates for Flash Player in order to fix a vulnerability that has been exploited in attacks against users since earlier this month.

The attacks were discovered by security researchers from Kaspersky Lab and were launched from a website set up by the Syrian Ministry of Justice to receive complaints about law violations. It’s not clear who was behind the attack, but the site had been compromised in the past by hackers.

Adobe has released a fix for a zero-day vulnerability in Flash Player, which impacts users running Windows, Mac and Linux operating systems.

The company yesterday urged Windows and Mac users to download Flash Player versions 12.0.0.44 and 11.7.700.261 (for those who cannot update to version 12.0). Those running Flash on Linux systems were directed to install version 11.2.202.336 of the plug-in.

Adobe is recommending that users update their Flash Players immediately -- especially those who frequent Google Chrome and Internet Explorer. The company released an emergency security bulletin on Tuesday that addresses vulnerabilities in Flash, which could be exploited by hackers.

"This vulnerability could allow an attacker to remotely take control of the affected system," Adobe wrote in a blog post. "Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users apply the updates referenced in the security bulletin."

A new zero day flaw in Windows XP and Server 2003 is being exploited in the wild to bypass the sandbox on unpatched versions of Adobe Reader, security firm FireEye has reported.

According to the firm’s analysis, the vulnerability allows for a standard user running XP SP3 to elevate privileges to admin level, allowing a targeted attack on users running Reader versions 9.5.4, 10.1.6, 11.0.02 and before using a malicious PDF.

Today Adobe issued updates for the Flash Player on Windows, Mac and Linux. Adobe AIR and the AIR SDK and Compiler are also being updated. At the same time the company issued a security hotfix for ColdFusion, their web application platform.

Adobe says that these updates are unrelated to the recent theft of ColdFusion source code.

In an update on the data breach disclosed earlier this month, Adobe has said that source code for Photoshop was stolen. Making matters worse, a file containing 150 million usernames and hashed passwords has appeared online, and the company says that 38 million accounts were directly impacted by the incident.

Adobe has worked with Apple to sandbox Flash Player under Safari in Mac OS X, restricting the ability of attackers to exploit any vulnerabilities they might find in the browser plug-in.

"With this week's release of Safari in OS X Mavericks, Flash Player will now be protected by an OS X App Sandbox," Peleus Uhley, platform security strategist at Adobe, said Wednesday in a blog post. A sandbox is a mechanism that enforces certain restrictions on how an application interacts with the underlying operating system.

Adobe said it suffered a sustained compromise of its corporate network, allowing hackers to illegally access source code for several of its widely used software applications as well as password data and other sensitive information belonging to almost three million customers.

For commercial software coders looking to thwart cybercriminals, finding and fixing vulnerabilities is all well and good. In reality, though, that approach to product security can be a colossal waste of time and resources, according to Adobe's Brad Arkin. What really makes a difference is mitigation.

L33tdawg: Video of their talk from #HITB2013AMS is available on YouTube.

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.