Adobe fixes critical Flash Player flaws
And it will drop support for PowerPC G3 Macs next year
Computerworld - Editor's note: This story has been updated to clarify which PowerPC computers Adobe will drop support for after Flash Player 10.1 is released.
Adobe on Tuesday patched seven vulnerabilities in Flash Player, six of them for critical bugs that hackers could use to hijack Windows, Mac or Linux machines.
The company also announced it will stop issuing Flash security updates for some Mac users next year.
In a security advisory published Tuesday, Adobe briefly spelled out the vulnerabilities, using the phrase "could potentially lead to code execution" in six of the descriptions. Like Apple, and unlike Microsoft, Adobe does not assign bugs a severity or threat rating. Vulnerabilities that can be used to introduce malicious code, however, are considered the most serious -- and get the highest rating from vendors such as Microsoft.
Yesterday's update was the first for Flash Player since late July. Although Adobe committed earlier this year to releasing security fixes every three months for its Adobe Reader and Adobe Acrobat software, Flash Player remains on an ad hoc schedule.
Even so, Adobe piggybacked the Flash Player security patches with the six updates that Microsoft released the same day for Windows, Internet Explorer (IE) and Office.
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved "multiple crash vulnerabilities," the company's advisory said.
It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information, said Adobe, which credited a Microsoft researcher with reporting the problem. Microsoft and Adobe have been collaborating on security issues for months, part of the former's long-term plan to beef up the security of the Windows ecosystem by helping major third-party developers, such as Adobe, find and fix flaws.
The paucity of information included in Adobe's advisory, however, rankled at least one security expert. "Overall their security advisories are on par with Apple's," said Andrew Storms, the director of security operations at nCircle Network Security. "Well actually, I might have to give Apple a few notches up over Adobe," he added, referring to Apple's reputation for terse descriptions of the vulnerabilities it patches in Mac OS X.
Adobe also had some problems getting out the update yesterday, the day it had promised last week it would deliver the Flash Player patches. "The flash player bulletin will be up soon. The team is working through a few final checks," said Brad Arkin, Adobe's director for product security and privacy, on Twitter late Tuesday. Adobe released the update around 4:30 p.m. PT.
Flash Player 10.0.42.34 for Windows, Mac and Linux can be downloaded from Adobe's Web site. Alternately, users can use Flash's built-in automatic update mechanism to grab the new versions.
Also on Tuesday, Adobe announced plans to drop Flash Player security support next year for Mac owners whose machines run PowerPC G3 processors. "Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release," said Adobe in the same advisory that spelled out the seven patches. "This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture."
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!