Adobe blames naïve Office users for latest Flash Player exploits

Alongside critical security updates, Adobe previews feature aimed at stopping Office users from running potentially malicious Flash content

In sync with the release of critical security updates to Flash Player, Adobe's security team has revealed that the forthcoming version of the software will include a feature aimed at protecting gullible users who just can't resist opening every Office doc that shows up in their email.

In a post to the ASSET (Adobe Secure Software Engineering Team) blog, Adobe Platform Security Strategist Peleus Uhley attempts to assure the world that Adobe takes security seriously and has been working hard to make Flash Player safe. He also seems to subtly shift blame for the latest rash of zero-day Flash-related attacks to shortcomings in older version of Microsoft Office.

"Since the introduction of Adobe Reader X Protected Mode (aka sandboxing) in November 2010, the most common Flash Player zero-day attack vector has been malicious Flash content embedded in Microsoft Office documents and delivered via email," wrote Uhley. "In fact, today's Flash Player update addresses CVE-2013-0633 and CVE-2013-0634, both of which are being exploited in targeted attacks leveraging this very attack vector."

The problem is that earlier versions of Office don't include Version 2010's Protected Mode sandbox, which limits content's privileges within a document. "If the document originates from the Internet or Untrusted Zone, the Protected View feature will prevent Flash Player content from executing by default," he explained. "However, not everyone has the ability to update to Office 2010. In Office 2008 and earlier, Flash Player content will run by default without sandbox protections, making it an attractive attack vector for targeted attacks."

Adobe's forthcoming fix will come in the upcoming release of Flash Player: When an end-user opens a Word document that attempts to launch Flash Player, Player will check which version of Office is being used. If it's a version pre-dating Office 2010, Player will open a dialog prompt to warn to user that "this document contains embedded content that may be harmful to your computer." It will then give users two choices: "Do not allow content to play. (Recommended)" or "I recognize this content. Allow it to play."

Will this approach prove effective in deterring an end user who was naïve enough to open a questionable email attachment in the first place? That remains to be seen.

Uhley's post came out the same day Adobe released its latest set of security updates for Flash Player, which are supposed to address the software's latest zero-day vulnerabilities. Malicious hackers have been exploiting CVE-2013-0633 in the wild, sending users targeted emails with Microsoft Word DOC attachments containing malicious Flash content. The exploit targets the ActiveX version of Flash Player on Windows. CVE-2013-0634 is being similarly exploited.

However, hackers are also exploiting CVE-2013-0634 via malicious Flash content hosted on websites "that target Flash Player in Firefox or Safari on the Macintosh platform," so Microsoft isn't solely to blame for the software's security shortcomings.

This story, "Adobe blames naïve Office users for latest Flash Player exploits," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform