In association with heise online

22 September 2011, 12:38

Adobe publishes emergency patch to fix critical Flash vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Flash Logo As previously announced, Adobe has published an unscheduled emergency patch for Flash Player to address a number of critical security issues. The Flash Player updates, version for desktop operating systems and for Android, are the company's response to a recently discovered universal cross-site scripting (XSS) hole.

According to Adobe, the vulnerability is already being actively exploited by attackers to bypass the same origin policy, allowing them to, for example, take actions on a user's behalf on any web site or steal a victim's cookies. For an attack to be successful, a victim must first click on a malicious link. The company notes that the Authplay.dll component included in Reader and Acrobat is not affected.

The updates also close five other holes, however, little information is provided about them. Four of the vulnerabilities are said to allow an attacker to remotely execute arbitrary code on a victim's system. A security control bypass flaw that could lead to information disclosure has also been fixed.

Flash Player versions up to and including for Windows, Mac OS X, Linux and Solaris, as well as and earlier for Android, are affected. The company advises all users to install the upgrade. Users running Chrome received the Flash Player update in version 14.0.835.186 of the web browser two days ago.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit