News
News
9/13/2006
02:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Adobe Patches Flash

Adobe tells users to update Flash Player immediately to correct five critical bugs that can let attackers take control of a target computer.

Adobe Systems Inc. on Tuesday urged users to update Flash Player immediately as it warned the program harbors 5 critical bugs that can let attackers take control of a computer.

In a security advisory posted on its site, Adobe noted that the vulnerabilities in versions 8.0.24.0 and earlier can be exploited by attackers armed with malicious .swf-formatted Flash files. "Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code," the advisory read.

Computer Terrorism, a U.K.-based threat intelligence provider, first reported the bugs to Adobe 4 months ago. "The net result is that of a partially controllable condition, which opens the door to a multitude of differing exploitation vectors, including but not limited to heap/stack overwrites, and/or 3rd party race conditions," Computer Terrorism's technical brief went. Adobe pointed users to patched editions for Windows, Mac OS X, Linux, and Solaris; users of Windows and Mac OS X should update to 9.0.16.0, a version that debuted in June.

Microsoft Corp. pumped up the volume on the Flash fix by posting its own security advisory, which noted that vulnerable editions of Player had been distributed with Windows XP SP1, Windows XP SP2, and Windows XP Professional x64. Unlike in May, however, when Microsoft pushed a Flash update to customers through its own update mechanisms, the Redmond, Wash. developer only offered workarounds and steered users to Adobe's alert.

Microsoft, which has previously committed to issuing patches for Flash, didn't produce one in time for its Tuesday monthly security updates, however. Microsoft did promise to provide an update to Flash in the future.

The company likely missed a patch window, said a security expert Wednesday. "Microsoft missed it," said Eric Schultze, the chief security architect at patch manager developer Shavlik. "They had to have intended to update Flash [Tuesday], but when they couldn't meet the [September] deadline, Adobe must have said 'to heck with this,' and released its own alert.

"But the whole [botched] process informed the world that there is a problem with Flash," Schultze added.

The May Flash update was the first time the Redmond, Wash. developer took an active role in pushing a third-party product fix to users.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.