May 6, 2012

Emergency Update for Adobe Flash Player Released

On Friday, Adobe released an emergency patch to address a critical vulnerability in their Flash Player software -- a vulnerability which hackers had been using to trick users into downloading malware delivered via email.

According to Gregg Keizer of Computerworld, all versions of the software contain the vulnerability, and Adobe is recommending that users download the patch regardless of their browser or operating system, though only users of Microsoft's Internet Explorer are currently being targeted by the hackers.

"There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message," Adobe said in a statement, according to the SearchSecurity.com staff. "The exploit targets Flash Player on Internet Explorer for Windows only."

They add that Adobe is recommending that users of the following versions of Flash Player (or earlier ones) update their software immediately: version for Windows, Mac and Linux users; version for Android 4.x users; and for Android 3.x users. The company added that Windows users should consider this a "level 1 priority," while anyone who downloaded the software with Google Chrome already has received an automatic update and that no further action is required on their end.

CNET's Topher Kessler reports that the problem is being described as an "object confusion vulnerability," which Adobe said will allow attackers to crash the Flash Player and execute malicious code which can seize control of the user's system.

"In object-based programming languages, associated functions and variables in a running program are packaged together in what is referred to as an object, whose properties are defined as a 'class,'" he added. "In an object-confusion vulnerability, the object's class is changed so any objects defined by it are incorrectly interpreted and return incorrect values when run. These values can be pointers that direct the program to execute arbitrary code stored in other sections of memory by the attacker, and thereby run the attacker's malware."

Friday's update was the fourth Flash Player update issued by Adobe this year, with the last coming on March 28, Keizer said.

That previous patch "addressed the frequent updating pain point -- at least for Windows users -- by shipping Flash Player 11.2, which uses a silent, background update mechanism. The silent update is supposed to kick in in some situations to automatically patch the plug-in in IE, Firefox, Safari and Opera on Windows without notifying or bothering users."


On the Net: