Adobe fixes critical vulnerabilities in Flash PlayerAdobe on Tuesday issued a patch for Flash Player to address five vulnerabilities that could enable an attacker to take control of an affected system or execute arbitrary code.
The vulnerabilities, listed as "critical" by Adobe, could also cause a denial-of-service (DoS) or contribute to a clickjacking attack, according to Adobe's security advisory. Vulnerabilities were identified in Adobe Flash Player 10.0.12.36 and earlier and for Linux version 10.0.15.3 and earlier.
Users are advised to upgrade to Flash Player version 10.0.22.87.
The most serious issue resolved by the security update appears to be an invalid object reference vulnerability, exploited through a malicious Shockwave Flash (SWF) file loaded in a Flash Player. The vulnerability could enable an attacker to take control of an affected system, according to both Adobe and security and vulnerability research company iDefense Labs.
Having tested this vulnerability successfully on Windows XP SP3 and Windows Vista SP1, iDefense noted in its advisory that all platforms supported by Flash Player, including Linux and Mac OS, are likely affected.
Tuesday's update also addresses a buffer overflow issue that could enable an attacker to execute arbitrary code, an input validation issue that leads to a DoS or potentially arbitrary code execution, Adobe noted in its statement. As well, the update adds protection from clickjacking exploits in the "settings manager" display page on Adobe.com -- that is, on a control panel that runs on the local machine but is displayed and accessed on the Adobe website, according to Adobe.
Additionally, a Windows-only issue with the mouse pointer display that could cause a clickjacking attack was addressed.The update also prevents a Linux-only information disclosure issue in the Flash Player binary, which could lead to privilege escalation, Adobe stated in its advisory.
Still outstanding from Adobe is a fix for a zero-day exploit in its Reader and Acrobat programs. The company has said it plans to patch its latest versions on March 11, which has caused some in the security community to question the delay.