Adobe Issues Flash Player Patch

Adobe issued a security patch to fix vulnerability in Flash player during the end week of February 2009, which (if exploited) could allow hackers to take over a computer. According to an advisory issued by the company, the hole is critical with respect to Adobe Flash Player 10.0.12.36 and older versions.

For the successful exploitation of the flaw, a targeted end-user must download a malevolent Shockwave Flash file via a social engineering technique or by injecting malware into a hijacked website that enjoys relative trust.

Moreover, the hole could let a hacker compromise an affected computer, according to Adobe as well as iDefense Labs, a company engaged in vulnerability and security research.

iDefense, which successfully tested the vulnerability on Windows Vista SP1 and Windows XP SP3, noted that all platforms including Mac OS and Linux that receive Flash Player's support, are possibly affected.

The patch published lately resolves other probable issues too. For instance, it takes care of a heap overflow problem with which an attacker could execute an arbitrary code. Furthermore, it also patches a problem with input validation that allows execution of arbitrary code as well as creates a denial-of-service condition, Adobe pointed out.

Security specialists state that the Flash programs are always extremely vulnerable to malevolent attacks since it has a number of hidden features that prevent users from configuring it. According to Holly Stewart, Threat Response Manager of X-Force research team at IBM Internet Security Systems, by the end of 2008, 15% of all malevolent links led to Flash videos having malware, as reported by InternetNews on February 26, 2009.

Stewart added that users are still victimized with flash attack codes since majority of them fails to deploy Adobe patches when these updates are released.

However, to avoid probable attacks, Adobe recommends that users update Flash Player with the latest version suitable for their operating system.

Meanwhile, after releasing 6 updates for Flash Player 9 in November 2008, Adobe has issued another patch for the 2nd time in February 2009. Meanwhile, Adobe's Acrobat and Reader programs have a zero-day attack code that also requires patch.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 3/4/2009