14 DAY TRIAL // While Adobe patched the SWF file vulnerability a long time ago, users who failed to update their browser plug-ins are still highly targeted by attacks that rely on the outdated version of Flash Player.
Zscaler researchers noticed the phenomenon which still makes a lot of victims out of the 7% of customers who still use an old version of the software.
In April 2011, Adobe made sure the weakness that would allow a cybercriminal to execute arbitrary code or launch a denial of service attack by using specially crafted Flash content, would never hurt any of their customers who updated the player to the latest versions.
Now, it turns out that since many still rely on the old variants, they become easy targets for hackers who encapsulate malevolent swf files into Microsoft Office documents or html pages.
A location discovered recently by the experts embedded a nb.swf flash file into a page which was executed by Adobe's Flash Player when the site was loaded. The execution of the specially crafted element leads to a memory corruption in the player that allows for a piece of shellcode to be passed on as an input parameter.
At the time when it was discovered, only half of the security vendors listed in Virus Total detected the swf file as a threat.
“Flash and other browser plugins remain a popular target for attackers, even for known vulnerabilities that have been patched for some time. This is because attackers know that plugins regularly remain unpatched for some time,” states a Zscaler researcher.
This latest incident comes to show the importance of product updates. Not only anti-virus solutions need to be constantly updated. Browser and operating system components are in many cases utilized by hackers to take over devices and steal any information that comes their way.
Adobe Flash Player 11.2.202.18/19 Beta / 11.1.102.55 is available for download here.