Adobe Flash Zero Day Now Puts Android Smartphones At Risk

Adobe has revealed a critical zero day flaw in Adobe Flash – the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.

The critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.

The latest 0 day vulnerability affecting Adobe’s Flash Player extends to Adobe Flash on Android mobile OS. Mobile platforms are generally less protected when an issue such as this emerges. Smartphones often attach to untrusted wi-fi networks, and there are many less warnings and safeguards while surfing the web.

Compared to traditional PC environments, where browsers have extensive security checks built in so that malicious code cannot run, mobile device browsers are still at an early stage. Although the Android sandbox architecture should offer some protection, an exploit could still potentially access data within the browser that might include stored credentials.

Adobe has stated that it is aware of reports of active exploitation and that a patch should be ready within the next two weeks. Risk averse users should consider uninstalling Flash Player from their devices. Mind you, with the rate at which 0 days are appearing in Adobe applications recently, these users may decide – like Apple – that Flash isn’t worth the risk.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

With over 25 years experience in IT, Paul Vlissidis is a recognised expert on all aspects of IT and Internet security. He heads technical research and new product development for the Ethical Security Testing division of NCC Group, Europe’s leading independent provider of IT security testing and assurance services. He previously held senior IT risk roles within the utilities (nuclear) industry. Paul is an experienced PCI QSA advising on technical and procedural security and risk management. He provides the technical lead for a large team of ethical hackers on projects with national and international corporations, several large merchants and service providers, public sector organisations, emergency services and local authorities, testing network security. He has security clearance under the government’s CESG CHECK and CTAS schemes, enabling him to work on some of the UK’s most sensitive and confidential testing projects, and is a founding member of the security testing industry body CREST (Council of Registered Ethical Security Testers).