May 17, 2020

Google Releases Chrome 11.0.696.68 with Flash 10.3

Google has released Chrome 11.0.696.68 for Macintosh, Windows and Linux to fix two security flaws and upgrade the built-in version of Adobe Flash to 10.3.

The two security fixes are:

  • [64046] Bad casts in Chromium WebKit glue.
  • [80608] Integer overflows in SVG filters.

Note that the referenced bugs will be kept private until a majority of Chrome users have updated.

Flash Player 10.3 contains several new features and enhancements:

  • Media Measurement
  • Acoustic Echo Cancellation
  • Integration with browser privacy controls for managing local storage
  • Native Control Panel
  • Auto-Update notification for Mac OS

With the “integration with browser privacy controls for managing local storage” and the “native control panel” having the greatest impact in terms of information security. These new controls allow users to manage their Flash Player privacy, security and storage settings. Windows, Mac, and Linux users can access the Flash Player Settings Manager directly from the Control Panels or System Preferences on their computers.

10.3 also fixes several critical vulnerabilities in the Flash 10.2 series. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of an affected system.

Zero Day Exploit in Flash was Used to Crack Open RSA’s Servers

Two weeks ago RSA revealed in an open letter to its customers that its servers where compromised by, what they called, “an extremely sophisticated cyber attack”. As a result information relating to RSA’s SecurID two-factor authentication products was extracted from RSA’s systems.

Now, Avivah Litan, an analyst at Gartner Research, has revealed that the hackers used the recently revealed zero day exploit in Adobe’s Flash.

The hackers started their attack by sending phishing emails to groups of RSA employees. The emails were cheekily titled “2011 Recruitment Plan”. Attached to the email was an Excel spreadsheet with the recently-discovered Adobe Flash zero day flaw CVE-2011-0609. In turn this allowed them to download trojans onto RSA’s system where they started hacking until they finally gained privileged access.

Litan does praise RSA’s openness about the attack, but there are questions about RSA’s internal security especially since they sell a fraud detection systems based on user and account profiling that should spot abnormal behavior and intervene in real time.

Adobe Fixes Critical Vulnerabilities in Flash Across the Desktop and on Android

Last week Google released a new version of Chrome with an updated version of Flash to address new zero-day vulnerabilities. Now, as anticipated, Adobe has released the official Flash Player update for Windows, OS X and Linux. Simultaneously it has also released Flash Player 10.2 for Android which also addresses the same vulnerabilities as well as adding new features to the mobile version of the player.

According to the Adobe security bulletins (APSB11-02 and APSA11-01) there are critical vulnerabilities in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Affected versions are: Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris. Also affected is Adobe Flash Player and earlier versions for Android.

On the Android mobile platform, Flash Player 10.2 is now available for download for Android 2.2 (Froyo) and 2.3 (Gingerbread) devices and an initial beta release for Android 3.x (Honeycomb) tablets.

Flash support for Android 3.x devices has been keenly awaited and “brings a full web browsing experience, including video, games and other interactive content.”

Improvements included in Flash Player 10.2 for Android are:

  • Performance enhancements to take advantage of new hardware in both Android 3.x tablets, as well as existing hardware in many Android 2.2 and 2.3 devices
  • Tight integration with the new Android 3.x browser to treat Flash content as part of the web page instead of as a separate “overlay.” This results in improved scrolling of web pages and the ability to display pages in the way intended by the page designer, including new support for compositing HTML and other web content over Flash Player rendered content.
  • Automatic soft keyboard support to simplify text entry for rich mobile and multi-screen experiences

As mentioned above, this new version of Flash for Android also incorporates the security fixes as described in Security Bulletins APSB11-02 and APSA11-01.

Google Releases Chrome 10.0.648.134 and then 10.0.648.151

Google has made two quick releases to its Chrome web browser. The first on Tuesday includes a newer version of Adobe Flash and the second on Thursday blacklists a small number of HTTPS certificates.

A few days ago, Adobe revealed the details of a new zero-day vulnerability in Flash. This vulnerability, which is being exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file and delivered as an email attachment, can cause a crash and/or potentially allow an attacker to take control of the affected system.

The vulnerability is also present in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

Adobe have a fix for this problem which it plans to release at the beginning of next week. However Google has pipped Adobe to the post and released the fix in Chrome ahead of the official Adobe release.