Adobe Systems Inc. plugged six vulnerabilities in Flash Player and issued updates to its ColdFusion and Adobe Flash Media Server, fixing several other flaws in those products.
The software maker said the vulnerabilities in its Flash Player could cause the application to crash and enable an attacker to gain access to a victim’s computer. The repairs include several memory corruption errors as well as a bug that could enable clickjacking attacks. The vulnerabilities are in Flash Player version 10.1.53.64 and earlier. In addition, Adobe updated its Adobe AIR development environment and urges users to upgrade to Adobe AIR 2.0.3.
Adobe has addressed vulnerabilities that enable clickjacking in the past. One security expert, John Strand, told SearchSecurity.com that clickjacking may be better prevented through security policy, rather than technology.
An update to Adobe Flash Media Server fixes four vulnerabilities that could enable an attacker to run malicious code on an affected system. The vulnerabilities affect Adobe Flash Media Server 3.5.3 and earlier versions and Adobe Flash Media Server 3.0.5 and earlier versions for Windows and UNIX.
Adobe said it also corrected a directory traversal vulnerability in ColdFusion 9.0.1 and earlier versions that could lead to a data leakage. ColdFusion is a development environment used by website designers to create dynamic web pages.]]>
Adobe on Thursday released a security bulletin to patch 32 vulnerabilities in Flash Player, including a critical flaw that antivirus companies have seen being exploited in the wild.
The vulnerabilities could allow an attacker to take control of a system, Adobe warned.
The company recommended that all users with Flash Player 10.0.45.2 and earlier versions upgrade to the newest version, Flash Player 10.1.53.64. Adobe AIR 184.108.40.20630 and earlier versions for Windows, Macintosh and Linux are also affected and the company recommended that users update to Adobe AIR 220.127.116.1110.
The critical flaw that is being exploited in the wild also affects Adobe Reader and Acrobat; Adobe plans to provide a security update for those products on June 29.]]>
Adobe late Monday released a patch schedule to fix a critical vulnerability in its Flash Player, Adobe Reader and Acrobat products.
The company said it plans to release a security update for Flash Player 10.x for Windows, Macintosh, and Linux by Thursday. It hasn’t yet determined when it will release an update for Flash Player 10 for Solaris, but it expects to provide a patch for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29.
In a blog post Monday night, Brad Arkin, director of product security and privacy at Adobe, said the June 29 update represents an accelerated release of Adobe’s quarterly update that was originally scheduled for July 13. The June 29 release will fix a number of other vulnerabilities in addition to the flaw announced Friday.
“Among other options, we also considered the alternative of releasing a one-off zero-day fix followed a couple of weeks later by the July 13 quarterly update,” Arkin wrote. “However, two patches within three weeks would have incurred too much churn and patch management overhead on our users, in particular for customers with large managed environments.”]]>
Mozilla is releasing a new feature in Firefox that will warn users of the popular browser that their Adobe Flash plug-in is out of date.
The changes will come to the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14.
Mozilla’s Human Shield, Johnathan Nightingale, announced the new feature in a blog entry last week:
Our intent is to get the user’s attention, and direct them to the Adobe website where they can download the most up to date version. For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update.
Nightingale said Mozilla hopes to provide similar checks for other third-party plug-ins in the future.
Adobe has been under fire of late for its patching processes. The software maker has had a slew of updates over the last year as attackers targeted holes in its popular PDF reading software and its Flash player in drive-by attacks.
Last month, Mickey Boodaei, the CEO of security vendor Trusteer criticized Adobe after a review of more than 2 million Trusteer users found that nearly 80% of Flash users were using a flawed version of the browser component two weeks after Adobe pushed out the patch.
By default, Adobe set its Flash component to check for a new version every 30 days, resulting in a patching delay when a security update is issued. Adobe has an extremely large install base so setting the update check for every day or every week could overburden its servers and cause even more problems.]]>