|
Adobe today patched seven critical vulnerabilities in Flash Player-- the fifth security update so far in 2012 -- and released asandboxed plug-in for Mozilla's Firefox. The company also released the "silent update" tool for OS X, andsaid it had prepped Flash for the upcoming OS X 10.8, aka MountainLion, by signing its code, a requirement if users are to installsoftware downloaded from sources other than Apple's own Mac AppStore. "These updates address vulnerabilities that could cause a crash andpotentially allow an attacker to take control of the affectedsystem," said Adobe in an advisory published Friday. The flaws were all over the map, and included memory corruption,integer and stack overflow, and security bypass bugs. One of theseven was tagged as a "binary planting" vulnerability in the Flashinstaller. "Binary planting" is a synonym for what others call "DLL loadhijacking," a bug class first uncovered nearly two years ago by HDMoore, chief security officer at Rapid7 and creator of theopen-source Metasploit penetration-testing toolkit. Because many Windows applications don't call DLLs using a full pathname, instead using only the filename, hackers can trick anapplication into loading a malicious file with the same title as arequired DLL. Unlike the last Flash security update , which Adobe issued May 4, today's bug patches are forvulnerabilities that the company has not seen exploited in thewild. Among those Adobe credited for reporting the vulnerabilities was aresearcher from the Google Chrome team, another from Symantec andtwo engineers who work for Microsoft. Microsoft and Adobe have been working even closer than usual oflate: Last week, Microsoft announced that it had, with Adobe'shelp, integrated Flash Player into the Metro version of Internet Explorer10 (IE10). That move seemed to contradict Microsoft's earlier promise that itwould not allow plug-ins -- Flash Player is probably the mostwidely-used browser plug-in on the planet -- in IE10 on Metro, thenew tablet-oriented user interface (UI) within Windows 8 and thesole mode on Windows RT. Also included in Flash Player 11.3 was a sandboxed plug-in forFirefox and the promised silent update tool for OS X users. Adobe first talked about sandboxing Flash for Firefox in February , when it released a beta version of the plug-in for that browseron Windows Vista and Windows 7. The new Flash Player silent updater for OS X is set toautomatically install future updates in the background. A sandbox isolates processes on the computer, preventing, or atleast hindering, hackers trying to exploit an unpatchedvulnerability, escalate privileges and push malware onto themachine. Adobe first sandboxed Flash Player for Google's Chrome in late 2010 after working with Google engineers; the sandboxedplug-in for Firefox came after similar cooperation from Mozillaengineers, Adobe said several months ago. The Mac background updater debuted just over a month ago in a betaversion of Flash Player 11.3, but went final today. The tool isidentical to the Windows version, which Adobe launched in March : It pings Adobe's servers every hour until it gets a response. Ifit reaches Adobe and finds no ready update, the tool re-checks theservers 24 hours later. Found updates, however, are appliedentirely in the background, and do not display notices on thescreen or require the user to take any action. By default, Flash 11.3 has silent updates switched on for OS Xusers, but they can change the setting to continue to receiveon-screen alerts, or more dangerously, decline all updates. Adobe has also prepared Flash Player for the release of Apple'snext desktop operating system, Mountain Lion. Mountain Lion includes a new feature called Gatekeeper that bydefault will let users install only software downloaded from theMac App Store -- the Apple-curated market that debuted in January2011 -- or signed with certificates Apple provides free-of-chargeto registered developers. Gatekeeper is Apple's reaction to last year's spread of the Mac Defender malware, which wastucked into fake security software: Gatekeeper will prevent such"scareware" from ending up on Macs. "Starting with Flash Player 11.3, Adobe has started signingreleases for Mac OS X using an Apple Developer ID certificate,"said Brad Arkin, Adobe's senior director of security, products andservices, on a company blog today. "Therefore, if the Gatekeeper setting is set to 'Mac AppStore and identified developers,' end-users will be able to installFlash Player without being blocked." Because Flash is not distributed through Apple's desktop appmarket, if users set Gatekeeper to the most restrictive option --"Mac App Store" -- they won't be able to install or update FlashPlayer. Flash Player was upgraded Friday to version 11.3 for Windows and OSX, to 11.2 for Linux and to 11.1 for Android. As of 3 p.m. ET,Google had yet to update Chrome, which includes its own version ofFlash, to gives its users the patched edition. Gregg Keizer covers Microsoft, security issues, Apple, Web browsersand general technology breaking news for Computerworld. FollowGregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His email address is. See more by Gregg Keizer on Computerworld.com . Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center. We are high quality suppliers, our products such as Freezer Tubes , China Copper Coated Tube for oversee buyer. To know more, please visits Refrigeration Tube.
Related Articles -
Freezer Tubes, China Copper Coated Tube,
|
