Article

Adobe updates Flash Player to fix clickjacking, buffer overflow flaws

SearchSecurity.com Staff

Adobe Systems Inc. updated its popular Flash Player to fix vulnerabilities that could allow an attacker to execute arbitrary code and gain control of a computer.

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Flaws were discovered in version 10.0.12.36 of Flash Player and earlier. The update also affects AIR 1.5, Flash CS4 and CS3 Professional and Flex 3.

Affected users should upgrade to version 10.0.22.87. A patch was also released for Flash Player 9 to address users that cannot update to the latest version, Adobe said.

Adobe Acrobat zero-day:
Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9.

Attackers target new Adobe zero-day flaw: Attackers are actively targeting a zero-day flaw in Adobe Acrobat Reader software, according to a warning from Symantec.

In its security advisory, Adobe said the update addresses five vulnerabilities in the player. Among the flaws is an input validation issue that could result in a denial-of-service attack. A potential clickjacking issue has also been patched as well as an issue with the Linux version of the Flash player that could result in privilege escalation.

A flaw was discovered by iDefense Labs, which issued an advisory Tuesday. iDefense researchers discovered an invalid object reference vulnerability in Flash Player that created an error when the player attempted to process Shockwave Flash files. The flaw could be exploited if a person browses to a website hosting malicious Shockwave Flash files, iDefense said.

"An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site," iDefense said in its advisory. "Utilizing various techniques, an attacker is able to reallocate and control the memory used by the destroyed object. This allows the attacker to subvert execution when a virtual function is called via the invalid reference."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: