[ UPDATE: Here's the official alert from Adobe with information on the patch. It covers a total of five vulnerabilities and affects Flash Player 10.0.12.36 and earlier ]
Sometime later today, Adobe will issue a patch for at least one critical vulnerability affecting its ubiquitous Flash Player. If you live on the Windows ecosystem, this is a heads-up to pay attention to Adobe's security updates page and treat this as a high-priority issue.
According to an advisory from iDefense, the company that brokered the disclosure process, the patch will fix a Flash Player vulnerability that could allow an attacker to use rigged Shockwave Flash files to execute arbitrary code with the privileges of the current user.
From the iDefense alert:
- During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.
To exploit this vulnerability, iDefense said a targeted user must load a malicious Shockwave Flash file created by an attacker. This can be trivially done via social engineering techniques or injecting content into a compromised, trusted site or advertising network.
- Utilizing various techniques, an attacker is able to re-allocate and control the memory used by the destroyed object. This allows the attacker to subvert execution when a virtual function is called via the invalid reference.
The flaw was confirmed latest version of Flash Player (126.96.36.199). Previous versions may also be affected. iDefense said it tested exploitation on Windows XP SP3 and Windows Vista SP1.
- iDefense believe that all platforms supported by Flash Player are affected by this vulnerability, including Linux and MacOS.
Adobe was first notified of this issue last August. The company is currently in the midst of responding to zero-day attacks against bugs in its Adobe Reader and Acrobat products.