Adobe closes critical holes in Flash products
Adobe has closed numerous security holes in Flash Player, Flash Media Server and ColdFusion. Several flaws in the memory management of Flash Player 10.1 can potentially be exploited by attackers to inject malicious code into systems. Another vulnerability makes the player susceptible to click-jacking attacks. The holes affect the security of Flash Professional CS5, Flash CS4 Professional and Flex 4. Adobe says that all versions of Flash Player up to 10.1.53.64 are vulnerable and advises users to update to the current version 10.1.82.76.
Users who still have Flash Player 9 on their systems, for instance after installing Flash CS3 Professional or Flex 3, can close the holes by updating to Player version 9.0.280, which was also released yesterday (Tuesday). Adobe AIR is equally vulnerable up to version 126.96.36.19910, and AIR users can update to version 2.0.3, which no longer contains the flaw.
Administrators who use the Flash Media Server, up to and including version 3.0.5 and 3.5.3, under Windows or Unix are advised to update to 3.0.6/3.5.4, as several holes in the earlier versions can be exploited to inject malicious code. ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and older versions potentially disclose sensitive information to attackers, which can be prevented by applying a security hotfix.