Sign in with
Sign up | Sign in

Android Vulnerable to New Flash Player Hacks

By - Source: Adobe | B 12 comments

Android owners can't even escape a new vulnerability found in Flash Player.

Adobe's latest security bulletin warns that a critical vulnerability exists in the new Flash Player and earlier for Windows, Mac, Linux and Solaris platforms. The vulnerability also exists in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1), and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

And for those Android users who just couldn't wait for the arrival of Froyo and its built-in support for Flash (cough), the vulnerability also exists in Flash and earlier for the Android platform. Welcome to the Flash club.

According to Adobe, the "CVE-2011-0609" vulnerability could cause a crash and potentially allow an attacker to take control of the affected system/device. So far, Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by the current issue.

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat," the company said. "Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."

Kaspersky Lab security researcher Roel Schouwenberg said in a blog post that the target must open a malicious XLS file for a vulnerability in Flash to be exploited. "This kind of structure is a perfect setup for targeted attacks," he said. "During testing, the particular exploit was not able to run successfully on Windows 7. It did work on Windows XP. It's likely though a ROP-exploit would be able to exploit this vulnerability under Windows 7."

Although Adobe didn't get into specifics, the company said an update for Flash Player 10.x and earlier will head to Windows, Macintosh, Linux, Solaris and Android during the week of March 21, 2011. An update for Adobe Acrobat X (10.0.1) and earlier, 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions will be made available that same week.

"Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011," Adobe said.

Owners of the new Motorola XOOM tablet-- which just received Flash Player support-- may want to delay installing Flash until Adobe releases a fix. Then again, all users are warned not to open XLS email attachments that were not requested.

This thread is closed for comments
  • 3 Hide
    joytech22 , March 16, 2011 1:01 AM
    Almost nobody is silly enough to open attachments like those or dangerous websites, but of course those less knowledgeable could unknowingly be infected.
  • -2 Hide
    milktea , March 16, 2011 2:36 AM
    I haven't used Flash for a long time. It's been disabled since I've installed Firefox 3.6. Hope Flash would phase out soon.
  • 0 Hide
    HappyBB , March 16, 2011 4:38 AM
    Some one please quickly replace Adobe! I can't stand that their products keep having security vulnerabilities given that they are not as complex as an OS, and I am so tired of seeing Flash Player/Reader updates each time I boot up my system or use their products! HTML5, please replace Flash completely ASAP! Someone please replaces the Reader as well!
  • Display all 12 comments.
  • 0 Hide
    martel80 , March 16, 2011 7:05 AM
    You have an alternative to Adobe's Reader, like Foxit pdf reader.
  • 0 Hide
    virtualban , March 16, 2011 7:53 AM
    martel80You have an alternative to Adobe's Reader, like Foxit pdf reader.

    Was just about to say that, then I refreshed guessing somebody would have said that exactly, and you did. :) 
  • 1 Hide
    eddieroolz , March 16, 2011 8:21 AM
    The day we can stop using Flash is the day we have a big win against malware.
  • 0 Hide
    torque79 , March 16, 2011 10:40 AM
    Does Android even have native support for .xls files? I have never tried opening one, but i know I havent installed any apps for excel support.
  • 1 Hide
    Anonymous , March 16, 2011 12:27 PM
    I'm not a big fan of flash but I realy don't see how getting rid of it will get rid of malware. Hackers have fun finding ways to exploite systems at every level and exploits for HTML5 will eventualy make there way out. Some web site are now starting to use HTLM5 add banners. There realy is now way arrond these problems and getting rid of flash will do little to solve any of this.
  • 0 Hide
    maestintaolius , March 16, 2011 8:04 PM
    eddieroolzThe day we can stop using Flash is the day we have a big win against malware.

    People will just figure out how to exploit some other flaw in the next big thing. It's never going to be a war you can win.
  • 0 Hide
    scuba dave , March 16, 2011 8:05 PM
    joytech22Almost nobody is silly enough... ...those less knowledgeable could unknowingly be infected.

    It is because of that reason alone(well, that and irrational consumer fear..) that Norton, and the like have been able to thrive. Everyone thinks they won't be infected. But unfortunately, most people are less knowledgeable and end up compromised. And I fully expect a rather large number to fall victim to this. Number wise.. Not proportional.

  • 0 Hide
    ohseus , March 16, 2011 11:58 PM
    Odd I don't see the the people who always complain that the I Phone doesn't run Flash commenting on this article.
  • 0 Hide
    mayankleoboy1 , March 17, 2011 4:14 PM
    I haven't used Flash for a long time. It's been disabled since I've installed Firefox 3.6. Hope Flash would phase out soon.

    not in the next 2 years
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS