Adobe fixes seven vulnerabilities in Flash Player

Adobe has released version 9.0.124.0 of its Flash Player for Windows, Linux, Mac and Solaris, which fixes seven security vulnerabilities. According to a report, attackers can exploit the vulnerabilities using crafted SWF files to gain control of a computer. A user can fall victim merely by visiting a crafted web page or opening an SWF file with an application that uses the Flash Player. One of the vulnerabilities relates to the vulnerability recently discovered during the “Pwn to Own” contest, by means of which which participant Shane Macaulay succeeded in hacking the Vista laptop.

The bug can be exploited by causing the Flash Player to access incorrectly instantiated ActionScript objects. According to a report from the Zero Day Initiative, this requires manipulation of the DeclareFunction2 tag. In order to fool Vista’s data execution prevention (DEP), Macaulay’s Flash hack takes a little detour via Java. Java apparently doesn’t work under Windows Vista if DEP is activated, for which reason it is often deactivated for Java.

The other vulnerabilities are primarily errors in conformity to the domain policy, which is intended to prevent access to content from other domains. The update changes several security settings in the Flash Player in order to offer a higher default level of security. According to Adobe, some SWF files will not be usable, as Flash no longer fully supports JavaScript URLs. Further details are given in the document Understanding Flash Player 9 April 2008 Security Update compatibility.

Users should install the new version as soon as possible, as websites exploiting the vulnerabilities to infect users’ PCs are likely to spring up rapidly.

See also:

• Flash Player update available to address security vulnerabilities, security advisory from Adobe
• Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability, security advisory from ZDI

(mba)