Adobe Flash Player XSS flaw under 'active attack'

Summary:Adobe ships a Flash Player patch amidst reports that a universal cross-site scripting flaw "is being exploited in the wild in active targeted attacks."

Ladies and gentlemen, rev up your Flash Player update engines.

Adobe has shipped a new version of the ubiquitous software to fix at least seven documented security holes affecting Windows, Mac OS X, Linux and Solaris users.

According to Adobe, these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

It also patches a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website.

Adobe has acknowledged reports that the cross-site scripting flaw "is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an e-mail message (Internet Explorer on Windows only).

[ SEE: Ten little things to secure your online presence ]

From Adobe's advisory:

follow Ryan Naraine on twitter

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

The raw details:

  • This update resolves a memory corruption vulnerability that could lead to code execution (Windows ActiveX control only) (CVE-2012-0751).
  • This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
  • This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
  • This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0756).
  • This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website (CVE-2012-0767).

Topics: Security, Enterprise Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.