The Inquirer-Home

Adobe issues critical Flash Player update for Windows and Mac

Google credentials could have been swiped
Wed Jul 09 2014, 15:47
Adobe Flash Player logo

ADOBE HAS RUSHED OUT an update to its ubiquitous Flash Player after three vulnerabilities were discovered.

Flash Player version 14.0.0.145 for Mac and Windows and 11.2.202.394 for Linux plug a hole that "...could potentially allow an attacker to take control of the affected system".

Two of the fixes are for "security bypass vulnerabilities" while a third appeared on the blog of Michele Spagnuolo, a Google engineer working out of Zurich, which allows users to abuse JSONP endpoints. Spagnuolo even provided a proof of concept tool to exploit it..

Adobe said, "These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs."

The JSONP vulnerability is particularly significant because it could be used to extract user login details stored as cookies.

Spagnuolo informed Google, which patched its accounts system, and also warned major portals including eBay, Twitter, Instagram and Tumblr, some of which are still reeling from the effects of the Heartbleed bug.

This is the second consecutive month in which severe vulnerabilities that allow remote login interception have required patches from Adobe. Last month six bulletins were released. In both cases, the problems affected not only Flash Player but also the cross-OS software suite Adobe AIR and its software developers kit.

Users of Google's Chrome browser and Windows 8.x users of Internet Explorer will receive the updates automatically, but if this doesn't apply to you, then Adobe's advice is to manually update as a matter of urgency from the Adobe website. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?