Adobe issues out-of-band updates for Flash
Adobe issued patches on Monday for two critical vulnerabilities in its Flash player found by employees of Google’s Security Team.
The company issued the fixes outside of its normal patching schedule, which is the second Tuesday of the month in line with Microsoft’s monthly patch release.
Adobe’s applications are frequently targeted by hackers because of the large number of users worldwide that have applications and plugins such as Flash and Reader installed.
Adobe classified the vulnerabilities as “priority two,” which means there are currently no known exploits — crafted attacks that take advantage of a software vulnerability — and the company does not expect exploits to quickly appear. Administrators are advised to update Flash within 30 days, according to the risk rating.
The vulnerable software version is 220.127.116.11 and earlier for Windows, Mac, Linux and Solaris operating systems, which should be updated to version 18.104.22.168.
Adobe advised that some users may not be able to upgrade to the 22.214.171.124 version. Those users should download a patched version of Flash 10.x, which is version number 10.3.183.16.
Also vulnerable are versions 126.96.36.199 and earlier for Android 4.x, which should be replaced with version 188.8.131.52 from the Android Marketplace, Adobe said. People using Flash version 184.108.40.206 on Android 3.x and 2.x systems should also upgrade to 220.127.116.11. Users can figure out the version they’re running by visiting this Adobe support page.
One of the issues, CVE-2012-0768, is a memory corruption problem in a component of Flash called Matrix3D, which could allow an attacker to take control of a person’s computer. The other, CVE-2012-0769, is an integer error that could cause information to be disclosed.
Tavis Ormandy and Fermin J. Serna of Google were credited with finding the vulnerabilities.