Adobe fixes 6 flaws in Flash
Issues fourth security update this year for Flash Player
Computerworld - For the second time in two days, Adobe Systems Inc. has warned users of multiple vulnerabilities in one of its most-popular programs and issued a security update to plug the holes.
Wednesday's update was the fourth patch job on the ubiquitous Flash Player this year, and followed by one day an even larger collection of fixes for Adobe Reader, the Web's default PDF application.
The Flash Player update addressed six bugs in Version 126.96.36.199 that run the range from cross-site scripting and information disclosure vulnerabilities to flaws that could be used to inject malicious HTML code in Web sites and launch "DNS rebinding" attacks.
Adobe first quashed DNS rebinding bugs in Flash in December 2007; the latest fix again credited researchers from Stanford University and the University of California, Berkeley, for reporting the flaw. DSN rebinding vulnerabilities, which make up a subset of cross-site scripting bugs, can let hackers circumvent firewalls and launch large-scale IP address hijacking attacks.
Another flaw fixed in the update also has a long history. "This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure," Adobe said in one of the accompanying advisory's terse descriptions. Mozilla Corp. patched its Firefox browser nearly a year ago to crush a pair of bugs associated with the jar: protocol handler. At the time, the move was notable because Mozilla had let a fix languish for nine months.
Wednesday's update brought the older version of Flash to Version 188.8.131.52. Users running the newer Flash Player 10 do not need to update their software.
Users can check which version of Flash Player they currently have installed by visiting this page on the Adobe site.
Adobe last patched Flash on Oct. 15, when it unveiled Version 10.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts