Adobe Sounds Alarm On Six Critical Flash Flaws
Five of the flaws are memory corruption vulnerabilities, while the other can be used for so-called "clickjacking" attacks, in which a user visits a Website that has a second, invisible Website with malicious links hidden underneath.
All six flaws can potentially be leveraged by attackers for remote code execution, and Adobe rated them as "critical", the most severe on its four-level scale.
In a security bulletin, Adobe said the vulnerabilities affect Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris, as well as Adobe AIR 2.0.2.12610 and earlier versions for Windows, Macintosh and Linux.
Adobe says it's not aware of any exploits circulating in the wild for the six Flash Player flaws. To protect their systems, users of Flash Player 10.1.53.64 and earlier versions should update to Flash Player 10.1.82.76, while users of Adobe AIR 2.0.2.12610 and earlier versions should update to Adobe AIR 2.0.3.
In a separate security bulletin, Adobe warned of four vulnerabilities in Flash Media Server 3.5.3 and earlier versions, and Flash Media Server (FMS) 3.0.5 and earlier versions for Windows and Linux. Adobe rated these as "critical" flaws, although only one could be used for arbitrary code execution, while the other three could be used for denial of service attacks.
In a third security bulletin, Adobe pointed users to a hotfix for a vulnerability affecting ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and Unix. The flaw could lead to disclosure of sensitive information and is classified as "important", third highest on Adobe's four-level scale.
It's been a busy month for Adobe, which last week said it plans to release out-of-band patches for "critical security issues" in Acrobat and Reader the week of Aug. 16. One of the patches will close a hole demonstrated by Charlie Miller, principal analyst at Independent Security Evaluators, at Black Hat earlier this month.
Attackers could exploit the flaw, which lies in the processing of TrueType fonts, by rigging a malicious PDF document and getting a user to open it. Doing so leads to memory corruption and could pave the way for malicious code execution.
Adobe plans to release its next quarterly security update for Adobe Reader and Acrobat on October 12.