Adobe Systems has released a major Flash Player update to fix at least seven cross-platform vulnerabilities that put users at risk of PC takeover attacks.
One of the vulnerabilities covered in the APSB08-11 update was used to hijack a Windows Vista laptop at the CanSecWest “Pwn to own” hacking contest March 26-28.
The update is available for Adobe Flash Player 18.104.22.168 and earlier, and 22.214.171.124 and earlier.
“Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities,” Adobe said in an advisory.
Because some of these security fixes may cause problems on Web sites that use Flash content, Adobe has released a separate advisory with instructions on “necessary changes” needed to ensure a seamless transition.
According to Adobe, the most serious of the seven vulnerabilities “could lead to the potential execution of arbitrary code” if users simply surfed to a booby-trapped Web site or opened an e-mail with Flash content.
The update introduces functionality to mitigate two known flaws that could help an attacker to launch a DNS (Domain Name System) rebinding attack; a new method for the Flash Player to interpret cross-domain policy files; a new security feature that performs a cross-domain policy file check before allowing SWFs to send HTTP headers to another domain; and a major change in Flash Player’s “AllowScriptAccess” default.