Adobe fixes critical vulnerabilities in Flash Player

Share this article:
Adobe on Tuesday issued a patch for Flash Player to address five vulnerabilities that could enable an attacker to take control of an affected system or execute arbitrary code.

The vulnerabilities, listed as "critical" by Adobe, could also cause a denial-of-service (DoS) or contribute to a clickjacking attack, according to Adobe's security advisory. Vulnerabilities were identified in Adobe Flash Player 10.0.12.36 and earlier and for Linux version 10.0.15.3 and earlier.

Users are advised to upgrade to Flash Player version 10.0.22.87.

The most serious issue resolved by the security update appears to be an invalid object reference vulnerability, exploited through a malicious Shockwave Flash (SWF) file loaded in a Flash Player. The vulnerability could enable an attacker to take control of an affected system, according to both Adobe and security and vulnerability research company iDefense Labs.

Having tested this vulnerability successfully on Windows XP SP3 and Windows Vista SP1, iDefense noted in its advisory that all platforms supported by Flash Player, including Linux and Mac OS, are likely affected.

Tuesday's update also addresses a buffer overflow issue that could enable an attacker to execute arbitrary code, an input validation issue that leads to a DoS or potentially arbitrary code execution, Adobe noted in its statement. As well, the update adds protection from clickjacking exploits in the "settings manager" display page on Adobe.com -- that is, on a control panel that runs on the local machine but is displayed and accessed on the Adobe website, according to Adobe.

Additionally, a Windows-only issue with the mouse pointer display that could cause a clickjacking attack was addressed.The update also prevents a Linux-only information disclosure issue in the Flash Player binary, which could lead to privilege escalation, Adobe stated in its advisory.

Still outstanding from Adobe is a fix for a zero-day exploit in its Reader and Acrobat programs. The company has said it plans to patch its latest versions on March 11, which has caused some in the security community to question the delay.
Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

EFF intros wireless router software to boost industry standard

EFF intros wireless router software to boost industry ...

This weekend, the digital rights group released a "hacker alpha" version of its Open Wireless Router software.

Breaches driving organizational security strategy, survey indicates

Breaches driving organizational security strategy, survey indicates

CyberArk interviewed 373 IT security executives and other senior management in North America, Europe and the Asia-Pacific as part of its eighth annual Global Advanced Threat Landscape survey.

Siemens industrial products impacted by four OpenSSL vulnerabilities

The vulnerabilities can be exploited remotely, and fairly easily, by an attacker to hijack sessions and crash the web server of the product.