Adobe Patches Critical Flash Player Security Flaws
The vulnerabilities could enable an attacker to take control of a system, according to the company.
Adobe today released a security update that patches at least seven vulnerabilities in Flash Player.
"The security update, available for Windows, Mac OS X and Linux operating systems, address vulnerabilities that 'could cause a crash and potentially allow an attacker to take control of the affected system,'" writes ZDNet's Ryan Naraine.
"The flaws were all over the map, and included memory corruption, integer and stack overflow, and security bypass bugs," writes Computerworld's Gregg Keizer. "One of the seven was tagged as a 'binary planting' vulnerability in the Flash installer. 'Binary planting' is a synonym for what others call 'DLL load hijacking,' a bug class first uncovered nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL."
"The big security news in Flash player 11.3 is the addition of the protected mode sandbox for Firefox on Windows," writes Threatpost's Dennis Fisher. "That's a major change for Adobe, which has been adding sandbox to its main product lines for a couple of years now. Adobe Reader X has run in protected mode -- which is what Adobe calls its sandbox -- since its release, and the company also added a sandbox to Flash on Google Chrome."
"To find out if you have Flash installed, or which version is on your system, visit this link," advises Krebs on Security's Brian Krebs. "If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Windows users who have Flash 11.2 or higher installed also have Adobe’s new updater, which is designed to auto-install updates shortly after they’re made available."