14 DAY TRIAL // Adobe has released an update to its Flash Player and AIR products, which address several vulnerabilities rated critical. A number of six arbitrary code execution flaws and one that can lead to information disclosure have been patched.
On December 3, the Adobe Product Security Incident Response Team (PSIRT) disclosed details about the company's upcoming security update for Flash Player to get people ready for the impending patching process. The Flash Player 10.0.42.34 and AIR 1.5.3 updates shipped yesterday, the same day when Microsoft released its scheduled monthly security bulletin.
All this is part of Adobe's new security strategy, which aims for a more uniform security incident response process, an area where the company suffered in the past. Adobe was heavily criticized by the security community for its inability to patch zero-day vulnerabilities in a timely manner or to convince users to update outdated software versions.
For example, after Mozilla introduced the new plug-in update notification feature back in Firefox 3.5.3, it concluded that half of Firefox users had an insecure Flash Player version installed. Back in May, Adobe announced that it would start enforcing a quarterly security update cycle that would coincide with Microsoft's Patch Tuesday, at least for its Reader and Acrobat products.
The vulnerabilities addressed in this update are identified as CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, all potentially leading to code execution conditions, and CVE-2009-3951, which can result in unauthorized information disclosure on Windows systems. The advisory also contains a note according to which support for PowerPC-based G3 computers will be dropped after Flash Player 10.1, which is scheduled for release in the first half of 2010.
"It's been a tough year security-wise for Adobe, as hackers have increasingly targeted the company's products, hunting for vulnerabilities to exploit," says Graham Cluley, senior technology consultant at antivirus vendor Sophos. The reason why Adobe's products [...] have captured the attention of cybercriminals is that they are so ubiquitous. It's not an outrageous gamble for hackers to assume that you have some Adobe software on your computer, making it a potential avenue for attack," he explains.
Adobe Flash Player 10.0.42.34 can be downloaded from here: Windows / Linux / Mac. Adobe AIR 1.5.3 can be downloaded from here: Windows / Linux / Mac.