Adobe patches nine critical flaws in Flash

Adobe Systems patched its Flash Player earlier this week, fixing nine critical vulnerabilities that hackers could use to attack Windows, Mac and Linux machines.

"Multiple input validation errors have been identified in Flash Player 9.0.48.0 and earlier that could lead to the potential execution of arbitrary code," Adobe said in the advisory posted on the company's site. "These vulnerabilities could be accessed through content delivered from a remote location via the user's Web browser, e-mail client or other applications that include or reference the Flash Player."

Danish vulnerability tracker Secunia ASP collectively tagged the nine bugs as "highly critical," its second-from-the-top threat ranking.

The flaws can be exploited using malicious .swf files, a vector graphics format specific to Flash. Specifically, said Adobe, the vulnerabilities could be used to conduct cross-site scripting attacks, run DNS rebinding attacks that circumvent firewall defenses and elevate privileges on servers hosting Flash content.

Google's security team was credited by Adobe with reporting two of the nine vulnerabilities, while a team at Stanford University received a nod for notifying Adobe of another pair of bugs.

"Users are recommended to update to the most current version of Flash Player available for their platform," Adobe said. The update, dubbed Flash Player 9.0.115.0, can be downloaded from the Adobe site. Solaris users, however, must download a beta of the updated Player to protect their machines.

Mac OS X users who refreshed their operating system with the 41-fix Security Update 2007-009, which Apple issued Monday, already have the revised Flash Player in hand, and don't need to take additional action.

According to Adobe, people who must rely on the older Flash Player 7 should download and install the patched version of that edition instead of 9.0.115.0. The patched Player 7 can be found here.