Adobe Patches Critical Hole In Flash Player

[Peaches]

25 February 2009, 12:49

Adobe patches critical hole in Flash Player, but PDF hole remains open

Adobe has released an update for its Flash Player that fixes a critical security vulnerability that could allow an attacker to remotely take control of a users system. The vulnerability can be found in versions 10.0.12.36 and earlier of the player. Version 10.0.15.3 for Linux is also vulnerable.

For an attack to be successful, a user must either load a malicious Shockwave Flash (SWF) File into Flash Player, or simply be lured to a site containing a malicious SWF file. The update fixes the buffer overflow issue that could potentially allow an attacker to execute arbitrary code and take control of the affected system. The update also resolves an input validation issue that leads to a Denial of Service (DoS) attack and a Windows only issue, where Flash could potentially contribute to a Clickjacking attack.

The Flash Player does have a built in automatic update checker, however, it only checks for updates once every 30 days. To protect yourself Adobe recommends that all Flash Player users update to the newest version, manually. The current version of the Flash Player is 10.0.22.87. Users can check which version of the Flash Player they currently have installed by simply visiting the about Adobe Flash page. An iDefense report on the issue, documents the length of time that it has taken Adobe to patch this vulnerability. Initial contact was made on the 25th of August, 2008 and the issue has only now been fixed.

Heise Security for full story: http://www.h-online.com/security/Adobe-pat...n--/news/112717