Asia's Source for Enterprise Network Knowledge

Monday, April 21st, 2014

Software security

Adobe patches flash bugs, releases sandboxed Firefox plugin

Adobe today patched seven critical vulnerabilities in Flash Player -- the fifth security update so far in 2012 -- and released a sandboxed plug-in for Mozilla's Firefox.

The company also released the "silent update" tool for OS X, and said it had prepped Flash for the upcoming OS X 10.8, aka Mountain Lion, by signing its code, a requirement if users are to install software downloaded from sources other than Apple's own Mac App Store.

"These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system," said Adobe in an advisory published Friday.

The flaws were all over the map, and included memory corruption, integer and stack overflow, and security bypass bugs. One of the seven was tagged as a "binary planting" vulnerability in the Flash installer.

"Binary planting" is a synonym for what others call "DLL load hijacking," a bug class first uncovered nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit.

Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.

Unlike the last Flash security update, which Adobe issued May 4, today's bug patches are for vulnerabilities that the company has not seen exploited in the wild.