Adobe fixes critical vulnerabilities in Flash Player

Share this article:
Adobe on Tuesday issued a patch for Flash Player to address five vulnerabilities that could enable an attacker to take control of an affected system or execute arbitrary code.

The vulnerabilities, listed as "critical" by Adobe, could also cause a denial-of-service (DoS) or contribute to a clickjacking attack, according to Adobe's security advisory. Vulnerabilities were identified in Adobe Flash Player 10.0.12.36 and earlier and for Linux version 10.0.15.3 and earlier.

Users are advised to upgrade to Flash Player version 10.0.22.87.

The most serious issue resolved by the security update appears to be an invalid object reference vulnerability, exploited through a malicious Shockwave Flash (SWF) file loaded in a Flash Player. The vulnerability could enable an attacker to take control of an affected system, according to both Adobe and security and vulnerability research company iDefense Labs.

Having tested this vulnerability successfully on Windows XP SP3 and Windows Vista SP1, iDefense noted in its advisory that all platforms supported by Flash Player, including Linux and Mac OS, are likely affected.

Tuesday's update also addresses a buffer overflow issue that could enable an attacker to execute arbitrary code, an input validation issue that leads to a DoS or potentially arbitrary code execution, Adobe noted in its statement. As well, the update adds protection from clickjacking exploits in the "settings manager" display page on Adobe.com -- that is, on a control panel that runs on the local machine but is displayed and accessed on the Adobe website, according to Adobe.

Additionally, a Windows-only issue with the mouse pointer display that could cause a clickjacking attack was addressed.The update also prevents a Linux-only information disclosure issue in the Flash Player binary, which could lead to privilege escalation, Adobe stated in its advisory.

Still outstanding from Adobe is a fix for a zero-day exploit in its Reader and Acrobat programs. The company has said it plans to patch its latest versions on March 11, which has caused some in the security community to question the delay.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.