On Tuesday, Adobe released a security update that fixes multiple security flaws in Adobe Flash Player, including vulnerabilities that could allow an attacker to take over a user’s system. The updates apply to versions of Adobe Flash Player for Windows, Microsoft, iOS, Android and Linux, and are available for download at the Adobe Web site.
The update includes patches for a variety of problems, four of which Adobe rated as “critical,” its highest priority ranking. According to Adobe, critical vulnerabilities include those which, if exploited would allow malicious native-code to execute, potentially without a user being aware. Users can go to the Adobe Web site to verify which version of Flash Player they are running and upgrade to the latest version. Users running multiple browsers should perform a check for each one installed on their systems.
The Vulnerabilities Keep Coming
The update comes only a week after hackers took advantage of a Flash vulnerability to attack the AOL Ad Network with a nasty bit of malvertising. The attack affected popular Web sites such as the Huffington Post, GameZone and LA Weekly. Ads hosted on those sites from an AOL ad network redirected visitors to a site that exploited a Flash bug to download a Trojan onto the user’s computer.
According to Adobe, users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to the latest version. Similarly, users of the Adobe Flash Player Extended Support Release, Adobe Flash Player for Linux, Adobe Flash Player for the Chrome browser and Internet Explorer, Adobe AIR desktop runtime, Adobe AIR SDK, Adobe AIR SDK and Compiler, and Adobe Air for Android should also update to the latest versions of their respective software.
The news of yet another vulnerability in Flash is unlikely to win Adobe any more fans. Flash Player has frequently been derided for its vulnerabilities by members of the IT security sector. Perhaps most famously, Steve Jobs refused to allow Flash to run on iOS devices such as the iPad, citing security concerns.
Critical Vulnerabilities Addressed
The vulnerabilities in Flash Player Desktop Runtime, Flash Player Extended Support Release, Flash Player for Google Chrome and Flash Player for Internet Explorer 11 and 10 are all labeled as critical by Adobe. The vulnerabilities in Flash Player, AID SDK, AIR SDK and Compiler and AIR for Android are considered to be much less serious by Adobe because they involve flaws that historically have not been targets for attackers. Users may install updates to these programs at their discretion, the company said.
The update resolves an improper file validation issue, an information disclosure vulnerability that could be exploited to capture keystrokes, memory corruption issues that could lead to code execution, heap-based buffer overflow issues, out-of-bounds read vulnerabilities that could be exploited to leak memory addresses, and a user-after-free vulnerability that could lead to code execution.
Posted: 2015-01-15 @ 9:52am PT
Capturing key strokes - makes me very nervous. I hope I can download the right fix for this problem. When an update comes to me in a pop up I feel hesitant to take it in case it is not authentic.