Adobe Releases Critical Security Update for Flash Player
By on February 16th, 2012

Adobe has released a new security update for its popular Flash Player closing down seven vulnerabilities, including one that was being publicly exploited. Six vulnerabilities enabled attackers to infect the user’s computer using crafted web pages, while the seventh vulnerability is a cross site scripting attack (XSS) that Adobe says is already being exploited in “active targeted attacks”.

The latest update has a fix to all these seven vulnerabilities, which affected Windows, Mac OS X, Linux and Solaris users. These vulnerabilities could even cause a crash and potentially enable the attacker to take complete control over the affected system.

The cross site scripting attack is basically aimed at Internet Explorer on Windows systems, tricking users to click on malicious links. Adobe says the vulnerability “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website”.

The affected versions are Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems. It also includes Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x.

Adobe highly recommends its users to update their Adobe Flash Player to the newest version 11.1.102.62 by downloading it from the Adobe Flash Player Download Center. Google Chrome users have received the update automatically, however, users can alternately update via the update system within the product when prompted. Android users can download the latest Flash Player version from the Android Market.

However, users unable to update the software can download a patched version of Flash Player 10.x from here.

Here’s the complete list of updates in the new version of Flash Player -

  • This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751).
  • This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
  • This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756).
  • This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767).
Tags: ,
Author: Joel Fernandes Google Profile for Joel Fernandes
Joel Fernandes (G+) is a tech enthusiast and a social media blogger. During his leisure time, he enjoys taking photographs, and photography is one of his most loved hobbies. You can find some of his photos on Flickr. He does a little of web coding, and maintains a tech blog of his own - Techo Latte. Joel is currently pursuing his Masters in Computer Application from Bangalore, India. You can get in touch with him on Twitter - @joelfernandes, or visit his Facebook Profile for more information.

Joel Fernandes has written and can be contacted at joel@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN