Adobe Repairs Critical Flash Player Flaws


Adobe Systems issued a second update to its Flash Player in less than a week, repairing 17 critical vulnerabilities in the ubiquitous browser component.

The update, released Tuesday, impacts Adobe Flash Player on Windows, Macintosh, Linux and versions running on Android devices. The Adobe update includes buffer overflow vulnerabilities, memory corruption and use-after-free coding errors.

"These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its advisory.

[Related: Microsoft Fixes Critical Exchange Server, Internet Explorer Flaws]

The Adobe update also includes repairs to Adobe Shockwave Player, fixing two critical flaws impacting Windows and Macintosh users. The update impacts users of Shockwave Player on Windows and Macintosh computers. An attacker can exploit the flaws and run malicious code on the affected system, Adobe warned.

Adobe Flash is a favorite attack vector for cybercriminals due to its huge install base. The browser component runs on virtually every PC, and users who fail to properly update it can fall victim to Web-based attacks. The company issued an update Feb. 7, repairing two Flash Player zero-day flaws being actively targeted by cybercriminals.

As part of the update, the company also rolled out a feature to protect users of Microsoft Office 2008. Office document attachments that contain embedded Flash will automatically prompt the user if the Flash file attempts to run. "This feature adds another layer of defense against spearphishing attacks by allowing the end-user an opportunity to realize that they have opened a potentially malicious document and close it before the exploit executes," wrote Peleus Uhley, a platform security strategist at Adobe in a blog post about the new feature.

Adobe has been working on protection mechanisms within Flash Player, said Amol Sarwate, director of the vulnerability labs at vulnerability management vendor Qualys. The Flash Player component in Internet Explorer 10 on Windows 8, means Flash Player runs in Enhanced Protected Mode, Sarwate said.

Adobe has been busy building a sandboxing protection mechanism around its Acrobat and Reader software. Deploying a sandboxing mechanism, isolating Flash Player from critical processes is more of a complicated process, Sarwate said. "Flash Player needs access; direct access to a lot of resources," he said. "It uses both graphics memory and operating system memory to function."

PUBLISHED FEB. 12, 2013