The Flash Player update addresses several
vulnerabilities that put users at risk of computer takeovers.
Adobe Systems has released a major Flash Player update to fix at least seven cross-platform vulnerabilities that put users at
risk of PC takeover attacks.
One of the vulnerabilities covered in the APSB08-11 update was used to hijack a
Windows Vista laptop at the CanSecWest "Pwn to own" hacking contest
is available for Adobe Flash Player 126.96.36.199 and earlier, and 188.8.131.52 and
"Critical vulnerabilities have been identified in Adobe Flash Player that
could allow an attacker who successfully exploits these potential
vulnerabilities to take control of the affected system. A malicious SWF must be
loaded in Flash Player by the user for an attacker to exploit these potential
vulnerabilities," Adobe said in an advisory.
Because some of these security fixes may cause problems on Web sites that use
Flash content, Adobe has released a separate advisory
with instructions on "necessary changes" needed to ensure a seamless
To read about Adobe's warning of a code injection hole in Flash Media Server, click here.
According to Adobe, the most serious of the seven vulnerabilities "could
lead to the potential execution of arbitrary code" if users simply surfed
to a booby-trapped Web site or opened an e-mail with Flash content.
The update introduces functionality to mitigate two known flaws that could help
an attacker to launch a DNS (Domain Name System) rebinding attack; a new method
for the Flash Player to interpret cross-domain policy files; a new security
feature that performs a cross-domain policy file check before allowing SWFs to
send HTTP headers to another domain; and a major change in Flash Player's