Adobe issued a patch to cover several security holes in its Flash Player software July 30, including a memory corruption issue that has been targeted by hackers.
All together, the update fixes 12 vulnerabilities. The most critical among them is the memory corruption bug, which is believed to have been exploited by hackers since early July via specially crafted PDF or SWF files. To exploit the vulnerability, attackers took to drive-by downloads on compromised sites.
The problem exists in current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. The issue also exists in the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and Unix operating systems as well.
Among the other vulnerabilities are three bugs tied to a flawed version of Microsoft’s Active Template Library (ATL), which Microsoft patched earlier this week in an emergency out-of-band fix. Adobe is the first major third-party company to acknowledge leveraging the flawed code in an application. In an advisory, Microsoft urged all developers worried their code could contain the ATL vulnerabilities to use the new version of Visual Studio to recompile their code.
“Note that only Internet Explorer plug-ins are vulnerable,” blogged Wendy Poland, a member of Adobe’s Product Security Incident Response Team, on July 28. “Thus, people using Flash Player within the Firefox browser-as well as all other Windows-based browsers [that aren’t Internet Explorer]-are not vulnerable. Additionally, Flash Player and Shockwave Player on Macintosh, Linux and Solaris operating systems are not vulnerable.”