Adobe fixes critical Flash Player flaws
And it will drop support for PowerPC G3 Macs next year
Computerworld - Editor's note: This story has been updated to clarify which PowerPC computers Adobe will drop support for after Flash Player 10.1 is released.
Adobe on Tuesday patched seven vulnerabilities in Flash Player, six of them for critical bugs that hackers could use to hijack Windows, Mac or Linux machines.
The company also announced it will stop issuing Flash security updates for some Mac users next year.
In a security advisory published Tuesday, Adobe briefly spelled out the vulnerabilities, using the phrase "could potentially lead to code execution" in six of the descriptions. Like Apple, and unlike Microsoft, Adobe does not assign bugs a severity or threat rating. Vulnerabilities that can be used to introduce malicious code, however, are considered the most serious -- and get the highest rating from vendors such as Microsoft.
Yesterday's update was the first for Flash Player since late July. Although Adobe committed earlier this year to releasing security fixes every three months for its Adobe Reader and Adobe Acrobat software, Flash Player remains on an ad hoc schedule.
Even so, Adobe piggybacked the Flash Player security patches with the six updates that Microsoft released the same day for Windows, Internet Explorer (IE) and Office.
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved "multiple crash vulnerabilities," the company's advisory said.
It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information, said Adobe, which credited a Microsoft researcher with reporting the problem. Microsoft and Adobe have been collaborating on security issues for months, part of the former's long-term plan to beef up the security of the Windows ecosystem by helping major third-party developers, such as Adobe, find and fix flaws.
The paucity of information included in Adobe's advisory, however, rankled at least one security expert. "Overall their security advisories are on par with Apple's," said Andrew Storms, the director of security operations at nCircle Network Security. "Well actually, I might have to give Apple a few notches up over Adobe," he added, referring to Apple's reputation for terse descriptions of the vulnerabilities it patches in Mac OS X.
Adobe also had some problems getting out the update yesterday, the day it had promised last week it would deliver the Flash Player patches. "The flash player bulletin will be up soon. The team is working through a few final checks," said Brad Arkin, Adobe's director for product security and privacy, on Twitter late Tuesday. Adobe released the update around 4:30 p.m. PT.
Flash Player 10.0.42.34 for Windows, Mac and Linux can be downloaded from Adobe's Web site. Alternately, users can use Flash's built-in automatic update mechanism to grab the new versions.
Also on Tuesday, Adobe announced plans to drop Flash Player security support next year for Mac owners whose machines run PowerPC G3 processors. "Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release," said Adobe in the same advisory that spelled out the seven patches. "This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture."
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!