Windows, Linux users should download new Player; Apple patched Mac OS X's version Monday
Adobe Systems Inc. patched its Flash Player earlier this week, fixing nine critical vulnerabilities that hackers could use to attack Windows, Mac and Linux machines.
The update addresses at least nine flaws–CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476–across all platforms. Versions affected include Adobe Flash Player 126.96.36.199 and earlier, 188.8.131.52 and earlier, and 184.108.40.206 and earlier.
Adobe, which recommends that everyone updgrade to the new player, says an attacker could use those aforementioned vulnerabilities to take control of a system.
Two of the nine vulnerabilities are “input validation errors” that could “lead to the potential execution of arbitrary code.” Adobe adds:
“These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player.”
"Multiple input validation errors have been identified in Flash Player 220.127.116.11 and earlier that could lead to the potential execution of arbitrary code," Adobe said in the advisory posted on the company's site. "These vulnerabilities could be accessed through content delivered from a remote location via the user's Web browser, e-mail client or other applications that include or reference the Flash Player."
Danish vulnerability tracker Secunia ASP collectively tagged the nine bugs as "highly critical," its second-from-the-top threat ranking.
The flaws can be exploited using malicious .swf files, a vector graphics format specific to Flash. Specifically, said Adobe, the vulnerabilities could be used to conduct cross-site scripting attacks, run DNS rebinding attacks that circumvent firewall defenses and elevate privileges on servers hosting Flash content.
Google Inc.'s security team was credited by Adobe with reporting two of the nine vulnerabilities, while a team at Stanford University received a nod for notifying Adobe of another pair of bugs.
"Users are recommended to update to the most current version of Flash Player available for their platform," Adobe said. The update, dubbed Flash Player 18.104.22.168, can be downloaded from the Adobe site. Solaris users, however, must download a beta of the updated Player to protect their machines.
Mac OS X users who refreshed their operating system with the 41-fix Security Update 2007-009, which Apple issued Monday, already have the revised Flash Player in hand, and don't need to take additional action.
According to Adobe, people who must rely on the older Flash Player 7 should download and install the patched version of that edition instead of 22.214.171.124. The patched Player 7 can be found here.