‘Critical’ Flash Vulnerability Discovered for Android Devices

April 12, 2011

According to a very recent posting on Adobe’s Flash website, a ‘critical’ flaw has been discovered that could potentially enable hackers to take complete control of your device, and grab all of your personal information.

While not trying to sound alarmist – we do want you to know that we have your best interests at heart, and want to help you make your Android phone as safe and secure as possible.

According to Adobe, the vulnerability is essentially only accessible when a person receives a Microsoft Word file with an embedded .swf (flash file) in it, and the user clicks on that particular file. Thankfully, if you have already updated your Android phone to have the latest version of Adobe Flash then you should be safe. This particular vulnerability only affects versions of Flash that are previous to 10.2.154.25, whereas the current version 10.2.156.12 fixes the vulnerability, and prevents hackers from having a field day with your personal data. Adobe has assigned this particular vulnerability its highest ranking, called critical, which they say is “a vulnerability, which, if exploited, would allow malicious native-code to execute, potentially without a user being aware.

So, if you have Flash on your phone, then be sure to update it to the latest version right away.

From Adobe’s Site:

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

Our Thoughts

But to all the iPhone users out there having an “a-ha, Android sucks!” moment, just be aware that you are not alone. In fact, some of the world’s best hackers will hands down agree that the iPhone is also extremely hackable, and in many cases, easier to hack than Android. In a recent hacking competition, featuring some of the world’s coding masterminds, Android and Windows 7 both went undefeated, while the iPhone was torn wide open in just two short days. Either way – no device is ever safe – not even your Android phone. If you really care about securing your personal information, be sure to check out our guides on how to secure you Android phone.

Android Vs. iOS Security Features Compared

Our Android Security Hub

Via:  Adobe Product Security Incident Response Team (PSIRT) Blog

 

Comments