In tandem with a release of new security
updates for Adobe Flash Player
for Windows, Mac, Linux, and Android operating systems (which patch a vulnerability “that could cause a crash and potentially allow an attacker to take control of the affected system”), Adobe’s ASSET Platform Security Strategist Peleus Uhley took to a blog post to talk about the update.
The Adobe team has seen these now-patched vulnerabilities exploited in the wild both in attacks using Flash content on websites and via targeted emails that bait users into opening a poisoned Microsoft Word
Uhley made a note of discussing how Adobe is working hard to improve security by sandboxing Flash Player on the latest editions of the Chrome, Mozilla, and Internet Explorer browsers and also by making it easier for users to get Flash Player updates.
He said that by far, the most-targeted vector was Microsoft Office attachments in emails; Microsoft Office 2010 has a Protected Mode sandbox that prevents the code from being executed by default. In earlier versions of Office, the new Adobe security update will post a warning before executing the Flash content being opened--although the protection looks like little more than a click-through warning that most people won’t even read.
In any case, it’s good to see that Adobe is trying. Pro tip to help the effort: Don’t open email attachments from untrusted sources.