Adobe patches Flash vulnerabilities for three platforms
Adobe Systems has updated its Flash multimedia software to eliminate five flaws affecting Windows, OS X and Linux systems.
The update fixes a critical flaw which could cause a PC to be hacked merely by viewing a malicious SWF (Shockwave Flash) file, according to Adobe's advisory.
Flash vulnerabilities are particularly dangerous due to the widespread use of the graphics format across the Internet for rich Web pages and banner advertisements. Most Web browsers have the Flash player plugin installed, which makes it an attractive target for hackers.
Online advertising networks have struggled to keep malicious Flash advertisements off their networks, as they are often difficult to detect.
Victims of a Flash attack are usually duped via a social engineering trick or by viewing malicious content injected into a trusted site, according to a warning from iDefense, the security branch of VeriSign.
Two of the other Adobe updates address potential problems with "clickjacking," a difficult but powerful hack that lures a victim into clicking on a certain place on a Web page in order to enable an attack.
The other two updates fix a potential denial-of-service condition caused by an input validation problem, and the remaining one fixes an information disclosure problem on Linux systems.
The most up-to-date Flash player for most users is 10.0.22.87. Other versions are available for users of AIR or Flash CS3 Professional: Adobe has published a chart in its advisory listing the upgrades.
Adobe has a Web page that will automatically display what Flash version a computer is using. Flash also has an auto-update system that will prompt a user that it's time to upgrade.
The latest Flash problems come as Adobe is grappling with another serious vulnerability in its Acrobat and Reader products, used for reading PDF (Portable Document Format) files, that affects both Apple and Windows users.
The flaw can allow an attacker to take over a computer if someone opens a malicious PDF file. Adobe has said it will issue a patch by March 11, but security experts have cautioned it leaves a wide time window for attacks.
Security vendor Sourcefire has said it has traced PDF attacks going back to Jan. 9. The company has issued an unsupported temporary patch.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
it news
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
