Major new flaw in Adobe Flash Player – Windows, Linux and Mac
A couple days ago Adobe admitted to three separate vulnerabilities in their Flash player plugin for web browsers. The vulnerabilities affect Windows, Mac and Linux and allow arbitrary code execution, cross-site request forgery (CSRF), and logging of keystrokes (!).
- The official announcement from Adobe
- CVE numbers: CVE-2007-3456 , CVE-2007-3457 and CVE-2007-2022
Now, normally I avoid posting vulnerability notices on this bog… there are plenty of other services for that… but this announcement doesn’t seem to be getting a lot of exposure.
As I wrote last year when another big vulnerability in Flash was made public, Flash is considered by many administrators to be an inert, vegetable-like format immune to security issues. I’ve never seen an organization that regularly updates the Flash player on desktops or even consider Flash to be an executable file format. Another security blind spot and perfect fodder for attackers to gain access to desktops.
By the way, on the Windows if you have both MS Internet Explorer and better browsers like Firefox or Opera installed, you have to upgrade twice: MSIE uses an ActiveX-style plugin but other browsers use the traditional Netscape plugin interface. A single download will not install both. Visit the Flash install site with both browsers to get the appropriate Flash player for each.
Related posts: