Flash vulnerability opens new attack surface – Android

by Steve Ragan - Sep 14 2010, 15:05

The newest Adobe Flash vulnerability targets the usual suspects, such as Windows and some Macintosh installations. However, there is a new attack surface, Google Android operating system, which is the backbone of several Smartphones in use today.

While the inclusion of Android to the list of vulnerable platforms is interesting, it isn’t something that should induce mass hysteria. It does however demonstrate that as technology advances, so do the windows of opportunity that criminals can use to target their victims.

According to Adobe, there are active attacks against the Flash Player vulnerability. These attacks are centered to Windows only, so for now, all the other vulnerable installations, including Flash Player 10.1.92.10 for Android and Flash Player 10.1.82.76 and earlier on Windows, Macintosh, Linux, and UNIX, are safe.

If exploited, the vulnerability could lead to system crashes and code execution. In addition to Flash Player itself, the vulnerability will impact Adobe Reader as well as Adobe Acrobat installations 9.3.4 and earlier, which marks the second vulnerability for these products within a week.

While payloads, best practices, and mitigations for Windows users are established, it is unknown how an attack on an Android phone would turn out. Likewise, Windows users are used to steps taken to protect their systems, but this is the first time Android users have had to worry about Flash problems other than rendering.

Adobe says that a patch for Flash Player will be released the week of September 27. Adobe Acrobat and Reader will be patched October 4.

More details are in the advisory.

Around the Web