Content

Adobe: Update best fix for Flash Player flaw

Security firms scrambled this week to warn PC users about newly discovered code execution vulnerabilities in Macromedia Flash Player.

Adobe Macromedia advised users to update to the application's latest version in response to the flaw.

"Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these vulnerabilities," Macromedia said in a security bulletin. "Users are recommended to update to the most current version of Flash Player available for their platform.

The company added that all users of Flash Player 8.0.22.0 should update to 8.0.24.0, available from the Player Download Center.

Adobe also thanked Microsoft for reporting the vulnerability to the company.

Secunia deemed the flaw worthy of its second most dangerous ranking, "highly critical," released an advisory on the flaw on Wednesday.

"Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system," the vulnerability monitoring firm said. "The vulnerabilities are caused due to unspecified errors and can be exploited to execute arbitrary code on a user's system when a malicious SWF file is loaded."

Secunia also credited Microsoft for discovering the flaw.

Microsoft, which distributed Flash Player with Windows XP Service Packs 1 and 2, Windows 98, Windows 98 SE and Windows ME, said its Security Response Center was "in communication with Adobe and is aware that Adobe has made updates that are available on their website."

"Microsoft encourages customers who use Flash Player to follow the guidance documented in Adobe's security bulletin," Microsoft said on its TechNet website.

The SANS Institute's Internet Storm Center also warned users that "a flash file has the potential to escape the flash engine and obtain access to the host system."

"Microsoft's writeup contains instructions on disabling the flash ActiveX control from executing. Firefox users could probably get away with using AdBlock to prevent the .swf files, although it's not necessary that the malware end in .swf," SANS warned. "We don't know much else. We don't know how it works. We don't know who's seen it, if anyone has."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.