Patch for Adobe Flash closes two critical security holes
In a blog posting, Adobe has pointed out that the new Flash Player 11.2 closes two critical security holes. With earlier versions of the plug-in, the vulnerabilities can be exploited to crash a target system, potentially allowing attackers to gain control of a victim's system.
The first vulnerability involves a buffer overflow when checking the trustworthiness of internet addresses and only affects Internet Explorer under Windows 7 and Vista. In addition, a memory error in the NetStream class potentially allows attackers to execute arbitrary code. The second hole affects all currently supported operating systems: Adobe lists Android as well as Linux, Mac OS X, Solaris and Windows. However, only versions 2.x and 3.x of the Android mobile operating system are affected; Android 4.x ("Ice Cream Sandwich") is immune.
Android users can upgrade to the current version via Google's Android Play marketplace. Mac OS X and Windows users can either obtain the update on Adobe's general download page or download it directly.
In addition to offering security patches, the Windows version of Flash Player 11.2 is the first to include an automatic background updater that polls for new revisions of the player on a daily basis. Users can determine whether to allow automatic updates during installation or later in the player's settings manager. Adobe's feature doesn't use a custom background service and obediently relies on the operating system's task scheduler.
Flash Player 11.2 is the third security update to Flash Player that has been released outside of the previous monthly update schedule: the latest two updates were each released after only three weeks.
At the same time, Adobe has released an update for the Adobe AIR runtime environment; its current revision number is 188.8.131.520. Those who can't upgrade to the current Flash Player 11 – such as users in corporate environments – will find that the critical security updates are also included in update 10.3.183.18 for Flash Player 10.3. Google's Chrome web browser, which includes the Adobe Flash Player plug-in by default, was just updated to version 18.0.1025.142 and already includes the new version of Flash.
- Security update available for Adobe Flash Player, security advisory from Adobe.