Adobe adds anti-spearphishing feature for Word embedded Flash

Scheduled update fixes 17 critical flaws in Flash, two in Shockwave and adds ‘Click to Play’ auto-launch check for embedded Flash in Office documents.

Hot of the heels of Adobe’s Flash zero-day fixes last Friday, the company has released a new update which integrates a security feature that could have helped prevent recent spearphishing attacks using embedded Flash in older versions of Microsoft Office documents.

The Flash Player updates fix 17 critical vulnerabilities affecting it on Windows, Mac, Linux, Android 4.x, 3.x, 2.x, as well as Adobe AIR and the Adobe AIR SDK.

It brings the latest version of Flash for Windows to 11.6.602.168, which is the highest priority update. Version details for Flash for Macs, Linux and Android can be found here.

Flash version 11.6 for Windows introduces an important security feature to prevent attacks that exploit automatic execution of Flash files embedded in Office 2008 and earlier documents.

While sandboxing in Office 2010 prevent automatic execution of embedded Flash and explicitly requests permission to run embedded content, embedded content in Office 2008 automatically executes, which Adobe’s ASSET Platform Security Strategist, Peleus Uhley, noted last week was the vector that attackers were exploiting in the vulnerabilities CVE-2013-0633 and CVE-2013-0634. Spearphishers were using embedded Flash in Word documents.

Security researchers at FireEye and AlienVault reported last week that the spearphishing emails containing the exploits included document attachments posing as a 2013 IEEE Aerospace Conference schedule and an “Employee Quick Reference Guide” made to appear to come from payments processor ADP.

“Launching Flash Player 11.6 from within a version of Office older than Office 2010 will prompt the end-user before executing the Flash content, ensuring potentially malicious content does not immediately execute and impact the end-user,” Adobe’s Uhley said today.

“This feature adds another layer of defence against spearphishing attacks by allowing the end-user an opportunity to realise that they have opened a potentially malicious document and close it before the exploit executes.”

The move follows Mozilla’s recent Click to Play feature changes in Firefox that prevent all web plugins -- including Java, Silverlight, Adobe Acrobat Reader -- from automatically loading when visiting a website, except the latest version of Flash. Click to Play in Firefox requires users to click a plugin pop-up to permit it to run.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: spearphishing, adobe, flash

Financial services firms to increase cyber security budgets this year, PwC claims

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Placebo

1

No doubt the bad guys will not read about this update and will not find a way to get around it.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos SafeGuard Enterprise

Your central key for data protection

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.