Adobe fixes critical vulnerabilities in Flash Player

Share this article:
Adobe on Tuesday issued a patch for Flash Player to address five vulnerabilities that could enable an attacker to take control of an affected system or execute arbitrary code.

The vulnerabilities, listed as "critical" by Adobe, could also cause a denial-of-service (DoS) or contribute to a clickjacking attack, according to Adobe's security advisory. Vulnerabilities were identified in Adobe Flash Player 10.0.12.36 and earlier and for Linux version 10.0.15.3 and earlier.

Users are advised to upgrade to Flash Player version 10.0.22.87.

The most serious issue resolved by the security update appears to be an invalid object reference vulnerability, exploited through a malicious Shockwave Flash (SWF) file loaded in a Flash Player. The vulnerability could enable an attacker to take control of an affected system, according to both Adobe and security and vulnerability research company iDefense Labs.

Having tested this vulnerability successfully on Windows XP SP3 and Windows Vista SP1, iDefense noted in its advisory that all platforms supported by Flash Player, including Linux and Mac OS, are likely affected.

Tuesday's update also addresses a buffer overflow issue that could enable an attacker to execute arbitrary code, an input validation issue that leads to a DoS or potentially arbitrary code execution, Adobe noted in its statement. As well, the update adds protection from clickjacking exploits in the "settings manager" display page on Adobe.com -- that is, on a control panel that runs on the local machine but is displayed and accessed on the Adobe website, according to Adobe.

Additionally, a Windows-only issue with the mouse pointer display that could cause a clickjacking attack was addressed.The update also prevents a Linux-only information disclosure issue in the Flash Player binary, which could lead to privilege escalation, Adobe stated in its advisory.

Still outstanding from Adobe is a fix for a zero-day exploit in its Reader and Acrobat programs. The company has said it plans to patch its latest versions on March 11, which has caused some in the security community to question the delay.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Researcher hacks iPhone 6 Touch ID sensor

Little progress was made security wise, between the iPhone 5S and iPhone 6 sensor, a researcher found.

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.