Adobe publishes emergency patch to fix critical Flash vulnerabilities
As previously announced, Adobe has published an unscheduled emergency patch for Flash Player to address a number of critical security issues. The Flash Player updates, version 10.3.183.10 for desktop operating systems and 10.3.186.7 for Android, are the company's response to a recently discovered universal cross-site scripting (XSS) hole.
According to Adobe, the vulnerability is already being actively exploited by attackers to bypass the same origin policy, allowing them to, for example, take actions on a user's behalf on any web site or steal a victim's cookies. For an attack to be successful, a victim must first click on a malicious link. The company notes that the Authplay.dll component included in Reader and Acrobat is not affected.
The updates also close five other holes, however, little information is provided about them. Four of the vulnerabilities are said to allow an attacker to remotely execute arbitrary code on a victim's system. A security control bypass flaw that could lead to information disclosure has also been fixed.
Flash Player versions up to and including 10.3.183.7 for Windows, Mac OS X, Linux and Solaris, as well as 10.3.186.6 and earlier for Android, are affected. The company advises all users to install the upgrade. Users running Chrome received the Flash Player update in version 14.0.835.186 of the web browser two days ago.
- Security update available for Adobe Flash Player, security advisory from Adobe.