Adobe Upgraded Flash Player to Close Critical Flaw
In the fourth week of December 2007, Adobe Systems Inc. plugged nine critical flaws in its Flash Player that hackers can use to hack Linux machines, Mac and Windows. Secunia ASP, the Danish vulnerability tracker, has called the nine flaws 'highly critical' and it is estimated to be the second from the top threat ranking.
As per Adobe and Secunia advisories, one of the bugs is an input validation error that can be used to operate code if a user clicks an illegitimate or unknown link or access a harmful site. Google Inc.'s security team was appreciated by Adobe with the reporting of just two flaws out of the nine, on the other hand, Standford University's team agreed to notify Adobe of another pair of bugs.
Further, the firm is also recommending that users should upgrade to the Adobe Flash Player 220.127.116.11 (Mac, Win, Linux) through the auto update process of software. Later, a security patch for Solaris will also be released.
Also, the update introduces functionality to check a hole which allows the operation of DNS rebinding attacks and new, rigid methods for Flash Player to perceive cross-domain policy files, and also prohibits the unsupported "asfunction" protocol to attend potential cross-site scripting issues with SWF files. Apart from this, it also takes care of a problem that can permit distant attackers to change client requests' HTTP headers and carry out HTTP Request Splitting attacks.
Although the immense fame of Flash Player application puts the exposure to attacks on a scale which can be compared with the ubiquitous phishing attacks that spread through mail, Jonathan Bitle, Technical Accounts Manager, Qualys, said that it is different from phishing attacks which automatically relay attacks; here users have to install SWF files to be attacked by hackers appearing as Flash Player presentations, as reported by SC Magazine on December 19, 2007.
Jonathan added that the presence of flaws in a famous application years after it is being introduced should be taken as alarming calls for developers and they should start working on potential security issues.
He also said that everybody should work towards in taking their security and potential vulnerabilities to another level.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 02-01-2008