Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Adobe Patches Flash Player Holes
Adobe Patches 12 Vulnerabilities in Flash Player
Adobe Patches 12 Vulnerabilities in Flash Player
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Adobe Systems on Friday issued a security update to its Flash Player that fixes at least 12 security holes. The patch plugs a zero-day vulnerability attackers have been using to break into computers via Flash.

Three of the 12 problems were caused by issues in Microsoft development code. Adobe listed 10 of the vulnerabilities as potential avenues of attack by hijackers who either take complete control of a system or execute malware on a machine without the victim's knowledge.

The patches fix vulnerabilities for Flash products that run on Windows, Linux and Mac. Solaris users are still waiting on a fix.

Why Not Disable Flash?

According to Tyler Reguly, a senior security engineer for nCircle, Adobe moved fairly quickly to get the fix out and deserves kudos for the speed with which the patch was released. But he still has questions about the way Adobe handled the patch.

"What surprises me most about this is that the recommended mitigation from Adobe in APSA09-03 was to rename or remove a file. Why is there no easy way to disable Flash support in Acrobat and Reader? JavaScript has an Enable/Disable checkbox, so why not Flash?" Reguly said.

Reguly is calling on Adobe to amend this in a future release -- hopefully a near-future release -- and to start shipping Acrobat and Reader with both JavaScript and Flash disabled.

"Included in the recent updates was a fix for MS09-035, the vulnerability affecting Microsoft ATL. It is great to see third parties releasing coverage so quickly," Reguly said. "However, I would imagine that Adobe was one of the vendors that Microsoft shared the patch with early in order to expedite the release. The same will not be true for smaller vendors, and now is a great time to remind people to keep an eye out for updates to those smaller products."

Understanding the Threat

Adobe's end-of-week patch follows Microsoft's out-of-cycle patches to fix vulnerabilities found in Active Template Library (ATL), a set of software developer tools used in the creation of COM and ActiveX modules Reguly mentioned. Adobe used Microsoft's flawed Active Template Library code to create Flash Player and Shockwave Player.

The threat was serious. Adobe's patch resolves integer overflow, stack overflow, and heap overflow vulnerabilities that could lead to remote code execution. It also addresses a clickjacking vulnerability that could allow an attacker to lure browser users into unknowingly clicking on a link or dialog, as well as a local sandbox vulnerability that could potentially lead to information disclosure.

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player and Adobe also recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.