Scheduled update fixes 17 critical flaws in Flash, two in Shockwave and adds ‘Click to Play’ auto-launch check for embedded Flash in Office documents.
Hot of the heels of Adobe’s Flash zero-day fixes last Friday, the company has released a new update which integrates a security feature that could have helped prevent recent spearphishing attacks using embedded Flash in older versions of Microsoft Office documents.
The Flash Player updates fix 17 critical vulnerabilities affecting it on Windows, Mac, Linux, Android 4.x, 3.x, 2.x, as well as Adobe AIR and the Adobe AIR SDK.
It brings the latest version of Flash for Windows to 11.6.602.168, which is the highest priority update. Version details for Flash for Macs, Linux and Android can be found here.
Flash version 11.6 for Windows introduces an important security feature to prevent attacks that exploit automatic execution of Flash files embedded in Office 2008 and earlier documents.
While sandboxing in Office 2010 prevent automatic execution of embedded Flash and explicitly requests permission to run embedded content, embedded content in Office 2008 automatically executes, which Adobe’s ASSET Platform Security Strategist, Peleus Uhley, noted last week was the vector that attackers were exploiting in the vulnerabilities CVE-2013-0633 and CVE-2013-0634. Spearphishers were using embedded Flash in Word documents.
Security researchers at FireEye and AlienVault reported last week that the spearphishing emails containing the exploits included document attachments posing as a 2013 IEEE Aerospace Conference schedule and an “Employee Quick Reference Guide” made to appear to come from payments processor ADP.
“Launching Flash Player 11.6 from within a version of Office older than Office 2010 will prompt the end-user before executing the Flash content, ensuring potentially malicious content does not immediately execute and impact the end-user,” Adobe’s Uhley said today.
“This feature adds another layer of defence against spearphishing attacks by allowing the end-user an opportunity to realise that they have opened a potentially malicious document and close it before the exploit executes.”
The move follows Mozilla’s recent Click to Play feature changes in Firefox that prevent all web plugins -- including Java, Silverlight, Adobe Acrobat Reader -- from automatically loading when visiting a website, except the latest version of Flash. Click to Play in Firefox requires users to click a plugin pop-up to permit it to run.