Adobe Ships 'Highly Critical' Flash Player Patch

The update addresses at least nine high-risk vulnerabilities affecting Windows, Mac and Linux machines.

Adobe Systems has shipped an extremely critical patch to correct at least nine cross-platform vulnerabilities in its ubiquitous Flash Player software.

The APSB07-20 update, available for Adobe Flash Player and earlier, and earlier, and and earlier, could allow complete system takeover attacks on Windows, Mac and Linux machines.

"A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities," Adobe warned Dec. 19.

The company is strongly recommending that all users upgrade to Adobe Flash Player (Win, Mac, Linux) via the software's auto-update mechanism. A patch for Solaris will be issued later.

Adobe described two of the nine bugs as "input validation errors" that could lead to the potential execution of arbitrary code.

"These vulnerabilities could be accessed through content delivered from a remote location via the user's Web browser, e-mail client, or other applications that include or reference the Flash Player," company officials warned.

The update also introduces functionality to mitigate a hole that allows the execution of DNS rebinding attacks and a new, stricter method for Flash Player to interpret cross-domain policy files, and it restricts the unsupported "asfunction:" protocol to address potential cross-site scripting issues with some SWF files. It also mitigates an issue that could allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks.

Adobe also confirmed that a potential port-scanning issue is mitigated with this Flash Player patch.

The company also announced that it is retiring support for Flash Player 7 and will no longer provide security updates for that version of the software.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's Security Watch blog.