In association with heise online

12 February 2010, 11:10

Adobe fixes critical vulnerability in Flash - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe Logo Security updates for the Adobe Flash Player and for AIR fix a critical security vulnerability which allows Flash applets to circumvent certain security functions in order to access other websites without obtaining the user's permission. A specially crafted Flash file on a malicious web page could read data, including banking data or similar, displayed in other open browser windows.

Normally, Flash applications are only permitted to access resources on the server from which they have been loaded. In order to allow content to be loaded more flexibly, since version 7, the Flash framework has allowed 'cross domain requests'. Sites serving Flash applets can create a crossdomain.xml file which specifies which external sites or servers the Flash applets are permitted to make requests from without requiring a warning to be displayed in Flash Player.

These are usually specified very tightly, with the website operator entering only domains operated by partners and other trusted websites. The current vulnerability appears to allow these restrictions to be circumvented so that a crafted Flash file can access objects on any website without requiring user clearance. Users should therefore not hold back in installing the Flash update as soon as possible.

The update also fixes a denial of service (DoS) vulnerability, no further details of which are given. Further tests are needed to determine whether this is the vulnerability which has been unpatched for several months for which Adobe recently apologised. The vendor originally intended to fix this vulnerability in the next major release, 10.1.

The Adobe Flash Player update is available to download for Windows, Mac OS X and Linux. Alternatively, users can use the inbuilt update function. The AIR update is also available to download for Windows, Mac OS X and Linux.

Update: According to another Adobe advisory, the Cross-Domain-Request problem exists in version 9.3 and 8.2 of Reader for Windows, Mac OS X and Linux, and in Acrobat. An update has been prepared and Adobe plan to release it on February 16th.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit