Adobe Systems on Friday issued a security update to its Flash Player that fixes at least 12 security holes. The patch plugs a zero-day vulnerability attackers have been using to break into computers via Flash.
Three of the 12 problems were caused by issues in Microsoft development code. Adobe listed 10 of the vulnerabilities as potential avenues of attack by hijackers who either take complete control of a system or execute malware on a machine without the victim's knowledge.
The patches fix vulnerabilities for Flash products that run on Windows, Linux and Mac. Solaris users are still waiting on a fix.
Why Not Disable Flash?
According to Tyler Reguly, a senior security engineer for nCircle, Adobe moved fairly quickly to get the fix out and deserves kudos for the speed with which the patch was released. But he still has questions about the way Adobe handled the patch.
"Included in the recent updates was a fix for MS09-035, the vulnerability affecting Microsoft ATL. It is great to see third parties releasing coverage so quickly," Reguly said. "However, I would imagine that Adobe was one of the vendors that Microsoft shared the patch with early in order to expedite the release. The same will not be true for smaller vendors, and now is a great time to remind people to keep an eye out for updates to those smaller products."
Understanding the Threat
Adobe's end-of-week patch follows Microsoft's out-of-cycle patches to fix vulnerabilities found in Active Template Library (ATL), a set of software developer tools used in the creation of COM and ActiveX modules Reguly mentioned. Adobe used Microsoft's flawed Active Template Library code to create Flash Player and Shockwave Player.
The threat was serious. Adobe's patch resolves integer overflow, stack overflow, and heap overflow vulnerabilities that could lead to remote code execution. It also addresses a clickjacking vulnerability that could allow an attacker to lure browser users into unknowingly clicking on a link or dialog, as well as a local sandbox vulnerability that could potentially lead to information disclosure.
Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 188.8.131.52 and 10.0.32.18. Adobe also recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3.