Adobe Patches Flash Bugs

Tuesday, June 12, 2012 @ 06:06 PM gHale

In what is becoming an all too common occurrence these days, Adobe patched seven critical vulnerabilities in Flash Player — the fifth security update so far this year. The company also released a sandboxed plug-in for Mozilla’s Firefox.

The company also released the “silent update” tool for OS X, and said it had prepped Flash for the upcoming OS X 10.8, aka Mountain Lion, by signing its code, a requirement if users are to install software downloaded from sources other than Apple’s own Mac App Store.

After Patch, APT’s Still Hit
Adobe Mac Updates Silenced
Critical Flash Player Hole Closed
Adobe Patches Flash Player, Again

“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

The flaws include memory corruption, integer and stack overflow, and security bypass bugs. One of the seven was a “binary planting” vulnerability in the Flash installer.

“Binary planting” really means “DLL load hijacking.” Because Windows applications don’t call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.

Unlike the last Flash security update, which Adobe issued May 4, the new patches are for vulnerabilities the company has not seen exploited in the wild.

Among those Adobe credited for reporting the vulnerabilities was a researcher from the Google Chrome team, another from Symantec and two engineers who work for Microsoft.

Also included in Flash Player 11.3 was a sandboxed plug-in for Firefox and the promised silent update tool for OS X users.

Adobe first talked about sandboxing Flash for Firefox in February, when it released a beta version of the plug-in for that browser on Windows Vista and Windows 7.

A sandbox isolates processes on the computer, preventing, or at least hindering, hackers trying to exploit an unpatched vulnerability, escalate privileges and push malware onto the machine.

Adobe first sandboxed Flash Player for Google’s Chrome in late 2010 after working with Google engineers; the sandboxed plug-in for Firefox came after similar cooperation from Mozilla engineers, Adobe said several months ago.

Leave a Reply

You must be logged in to post a comment.