Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Security Fixes and Improvements

November 5th, 2010, 07:24 GMT · By

New Flash Player Update Plugs Critical Security Holes

SHARE:

Adjust text size:


Flash Player 10.1.102.64 patches eighteen vulnerabilities
Enlarge picture
Adobe has released Flash Player 10.1.102.64, a security update that fixes eighteen vulnerabilities, including one actively exploited in the wild since last week.

In total, fourteen critical memory corruption flaws, which could lead to arbitrary code execution, have been addressed in the newly released version, one of which only affects the ActiveX Flash Player control.

An additional binary planting (DLL hijacking) vulnerability that could result in remote code execution has also been patched.

This type of flaw stems from the use of an insecure search path for library loading functions, which prioritize the current working directory when the location of the target DLL is not specified.

These vulnerabilities are usually the result of applications trying to load libraries that don't exist, for example, calling a Vista- and 7-only DLL on XP.

Another fixed bug can be exploited to trigger a Denial of Service (DoS) condition and possibly execute arbitrary code, but the latter has not been demonstrated.

The remaining two vulnerabilities are an information disclosure flaw that only affects Safari on Mac and an input validation weakness that can result in cross-domain policy violations.

Interestingly enough, Google Chrome, which bundles a custom Flash Player, was updated to an even newer version of the plug-in – 10.1.103.19, instead of 10.1.102.64.

Unfortunately, while this update patches the zero-day vulnerability discovered last week and identified as CVE-2010-3654, it does not resolve all of its attack vectors.

The flaw remains exploitable through the Flash interpreter included in Adobe Reader and Acrobat, which are set to receive updates during the week of November 15.

Furthermore, an update for Adobe Flash Player 10.1.95.1 for Android, which is also affected by these vulnerabilities, is expected to land next Tuesday, on November 9, 2010.

The company has also released patches for users who are still using Flash Player 9, for example those running old operating systems that don't support Flash Player 10.

The latest version of Flash Player for Windows can be downloaded here.

The latest version of Flash Player for Mac can be downloaded here.

The latest version of Flash Player for Linux can be downloaded here.

TELL US WHAT YOU THINK:

2,800 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Adobe Confirms New Flash 0-Day and Reveals Patch Schedule
Adobe Patches Zero-Day Flash Player Vulnerability
Flash Player Vulnerable to Remote Binary Planting Attacks

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use