ADOBE HAS RUSHED OUT an update to its ubiquitous Flash Player after three vulnerabilities were discovered.
Flash Player version 18.104.22.168 for Mac and Windows and 22.214.171.1244 for Linux plug a hole that "...could potentially allow an attacker to take control of the affected system".
Two of the fixes are for "security bypass vulnerabilities" while a third appeared on the blog of Michele Spagnuolo, a Google engineer working out of Zurich, which allows users to abuse JSONP endpoints. Spagnuolo even provided a proof of concept tool to exploit it..
Adobe said, "These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs."
The JSONP vulnerability is particularly significant because it could be used to extract user login details stored as cookies.
Spagnuolo informed Google, which patched its accounts system, and also warned major portals including eBay, Twitter, Instagram and Tumblr, some of which are still reeling from the effects of the Heartbleed bug.
This is the second consecutive month in which severe vulnerabilities that allow remote login interception have required patches from Adobe. Last month six bulletins were released. In both cases, the problems affected not only Flash Player but also the cross-OS software suite Adobe AIR and its software developers kit.
Users of Google's Chrome browser and Windows 8.x users of Internet Explorer will receive the updates automatically, but if this doesn't apply to you, then Adobe's advice is to manually update as a matter of urgency from the Adobe website. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted