Adobe Patches Security Holes in Flash and Photoshop
Adobe's two very popular products have flaws with three in the costless Flash Player plug-in and two in Photoshop. The exploit code for the vulnerabilities is available on the Web. Adobe has released security updates to patch these holes.
A security researcher named 'Marsu' first disclosed the Photoshop flaws in late April 2007. The disclosures also included the exploit codes with which an attacker could execute malicious program on a user's system through a specially constructed 'bmp', 'dib', or 'rle' file.
An error in input validation could enable an attacker to execute arbitrary code in Flash Player 9 and earlier versions. Similarly, insufficient validation on HTTP Referer could allow arbitrary code execution in Flash Player 8 and prior versions. There is another security problem in Flash Player 7 for Linux and Solaris involving the Opera and Konquerer browsers, which Adobe does not discuss in detail.
While the most dangerous flaw could let a remote attacker run malicious code on a chosen system another one helps a hacker to steal sensitive user details.
It is critical to patch the Flash Player flaws to save millions of users around the world from potential risk. According to Adobe's estimate in early 2007, 98.7% of world Internet users possessed some edition of the plug-in. Adobe's Web site on Security Bulletins and advisories provide both the patches.
In 2006, Adobe had warned in its advisory that there were security holes in its Macromedia Shockwave Installer that could expose PC users to attacks of malicious code.
Secunia, the company that alerts on security, warns that if exploitation is successful it is easy to execute arbitrary code. However, it requires tricking users into visiting infected websites that make them download Shockwave Player. Adobe has advised users to install Shockwave player only from the company's website, Secunia officials said in 2006.
Adobe said 'Tipping point's Zero Day Initiative' reported the issue arising from a boundary error in the Shockwave Installer ActiveX control. In the resulting situation a hacker could shoot a stack-based overflow by passing long values in the control parameters, according to reports last year.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 24-07-2007