Critical security holes in Adobe Flash Player 9
Adobe is warning of some dangerous security holes in Flash Player 9. An Adobe advisory says that programming errors affect all versions of Flash Player up to and including 9.0.124.0. A hole in the FileReference API could be particularly critical: it is said to enable the injection of arbitrary malicious code, which is then executed with the user's rights.
Adobe has also eliminated a Clickjacking problem that can redirect a user's clicks within the browser, and has made the handling of cross-domain policy files more secure in order to prevent any possible elevation of privileges within web applications. The fourth of the security hole to be closed caused a "port-scanning problem" that has not been described in more detail.
All of the vulnerabilities can be exploited remotely using manipulated SWF documents. All an attacker has to do is lure a user to a web site containing harmful Flash objects. Users who visit trustworthy web sites exclusively shouldn't assume they are secure; compromised advertising banners have been known to contain malicious code. Adobe recommends that all users install the current version 10.0.12.36 of Flash Player.
See also: * Flash Player update available to address security vulnerabilities, Adobe advisory
(djwm)