Adobe fixes numerous holes in Flash Player and AIR
Adobe has released updates for Flash Player and AIR to close a total of twelve security holes. The vulnerabilities include the recently discovered hole that allows attackers to gain control of a PC via specially crafted web pages. This hole also affects Adobe Reader and Acrobat, for which Adobe plans to release updates before the end of the day. In Reader and Acrobat, the hole can be exploited via specially crafted PDF files that include Flash content.
The vulnerability is already actively being exploited through specially crafted PDF files and through manipulated web pages (drive-by downloads). According to reports, the drive-by exploit affects users running Internet Explorer and Firefox.
The Flash and AIR updates fix five further critical bugs that involve heap and buffer overflows and allow the injection of arbitrary code. Adobe has also solved the ATL problem and a click-jacking vulnerability. The vendor recommends that users update to versions 18.104.22.168 or 10.0.32.18 of Flash and AIR version 1.5.2 immediately, for example via the integrated update feature.
The Flash updates are available to download for Windows, Mac, Linux and Solaris. Users can determine which version they have installed by accessing this page: Adobe Flash Player. The AIR update is available for Windows, Mac and Linux.
- Security updates available for Adobe Flash Player, security advisory from Adobe.
- Adobe and Cisco extensions vulnerable to Microsoft's ATL problems, a report from The H.
- Zero-day vulnerability in Adobe Flash Player, Reader and Acrobat, a report from The H.