Adobe fixes critical Flash Player flaws
And it will drop support for PowerPC G3 Macs next year
Computerworld - Editor's note: This story has been updated to clarify which PowerPC computers Adobe will drop support for after Flash Player 10.1 is released.
Adobe on Tuesday patched seven vulnerabilities in Flash Player, six of them for critical bugs that hackers could use to hijack Windows, Mac or Linux machines.
The company also announced it will stop issuing Flash security updates for some Mac users next year.
In a security advisory published Tuesday, Adobe briefly spelled out the vulnerabilities, using the phrase "could potentially lead to code execution" in six of the descriptions. Like Apple, and unlike Microsoft, Adobe does not assign bugs a severity or threat rating. Vulnerabilities that can be used to introduce malicious code, however, are considered the most serious -- and get the highest rating from vendors such as Microsoft.
Yesterday's update was the first for Flash Player since late July. Although Adobe committed earlier this year to releasing security fixes every three months for its Adobe Reader and Adobe Acrobat software, Flash Player remains on an ad hoc schedule.
Even so, Adobe piggybacked the Flash Player security patches with the six updates that Microsoft released the same day for Windows, Internet Explorer (IE) and Office.
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved "multiple crash vulnerabilities," the company's advisory said.
It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information, said Adobe, which credited a Microsoft researcher with reporting the problem. Microsoft and Adobe have been collaborating on security issues for months, part of the former's long-term plan to beef up the security of the Windows ecosystem by helping major third-party developers, such as Adobe, find and fix flaws.
The paucity of information included in Adobe's advisory, however, rankled at least one security expert. "Overall their security advisories are on par with Apple's," said Andrew Storms, the director of security operations at nCircle Network Security. "Well actually, I might have to give Apple a few notches up over Adobe," he added, referring to Apple's reputation for terse descriptions of the vulnerabilities it patches in Mac OS X.
Adobe also had some problems getting out the update yesterday, the day it had promised last week it would deliver the Flash Player patches. "The flash player bulletin will be up soon. The team is working through a few final checks," said Brad Arkin, Adobe's director for product security and privacy, on Twitter late Tuesday. Adobe released the update around 4:30 p.m. PT.
Flash Player 10.0.42.34 for Windows, Mac and Linux can be downloaded from Adobe's Web site. Alternately, users can use Flash's built-in automatic update mechanism to grab the new versions.
Also on Tuesday, Adobe announced plans to drop Flash Player security support next year for Mac owners whose machines run PowerPC G3 processors. "Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release," said Adobe in the same advisory that spelled out the seven patches. "This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture."
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts