Security

Adobe Issues Out-of-band Updates for Flash

Adobe issued patches on Monday for two critical vulnerabilities in its Flash player found by employees of Google's Security Team.

The company issued the fixes outside of its normal patching schedule, which is the second Tuesday of the month in line with Microsoft's monthly patch release.

Adobe's applications are frequently targeted by hackers because of the large number of users worldwide that have applications and plugins such as Flash and Reader installed.

Adobe classified the vulnerabilities as "priority two," which means there are currently no known exploits -- crafted attacks that take advantage of a software vulnerability -- and the company does not expect exploits to quickly appear. Administrators are advised to update Flash within 30 days, according to the risk rating.

The vulnerable software version is 11.1.102.62 and earlier for Windows, Mac, Linux and Solaris operating systems, which should be updated to version 11.1.102.63.

Adobe advised that some users may not be able to upgrade to the 11.1.102.63 version. Those users should download a patched version of Flash 10.x, which is version number 10.3.183.16.

Also vulnerable are versions 11.1.115.6 and earlier for Android 4.x, which should be replaced with version 11.1.115.7 from the Android Marketplace, Adobe said. People using Flash version 11.1.111.6 on Android 3.x and 2.x systems should also upgrade to 11.1.115.7. Users can figure out the version they're running by visiting this Adobe support page.

One of the issues, CVE-2012-0768, is a memory corruption problem in a component of Flash called Matrix3D, which could allow an attacker to take control of a person's computer. The other, CVE-2012-0769, is an integer error that could cause information to be disclosed.

Tavis Ormandy and Fermin J. Serna of Google were credited with finding the vulnerabilities.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments