In association with heise online

17 October 2008, 09:24

Critical security holes in Adobe Flash Player 9

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe is warning of some dangerous security holes in Flash Player 9. An Adobe advisory says that programming errors affect all versions of Flash Player up to and including 9.0.124.0. A hole in the FileReference API could be particularly critical: it is said to enable the injection of arbitrary malicious code, which is then executed with the user's rights.

Adobe has also eliminated a Clickjacking problem that can redirect a user's clicks within the browser, and has made the handling of cross-domain policy files more secure in order to prevent any possible elevation of privileges within web applications. The fourth of the security hole to be closed caused a "port-scanning problem" that has not been described in more detail.

All of the vulnerabilities can be exploited remotely using manipulated SWF documents. All an attacker has to do is lure a user to a web site containing harmful Flash objects. Users who visit trustworthy web sites exclusively shouldn't assume they are secure; compromised advertising banners have been known to contain malicious code. Adobe recommends that all users install the current version 10.0.12.36 of Flash Player.

See also: * Flash Player update available to address security vulnerabilities, Adobe advisory

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-737693
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit