Adobe ships fix for clickjacking, clipboard hijack threats

Adobe ships fix for clickjacking, clipboard hijack threatsAdobe has released Flash Player 10 (Techmeme discussion) with a chock-full of major security improvements, including patches and mitigation for at least five serious security vulnerabilities.

The vulnerabilities covered with Flash Player 10 could allow an attacker to bypass the software’s security controls, Adobe warned.

From Adobe’s advisory:

  • Potential vulnerabilities have been identified in Adobe Flash Player and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

These include the previously covered clickjacking threat and clipboard hijack attacks.

A patch for Flash Player 9, which is vulnerable to these attack scenarios, is not yet available. Apple says that patch is currently scheduled for early November.

A second “critical” bulletin was also released for Flash CS3 Professional to cover a code execution vulnerability.

  • An attacker would need to convince a user to open a malicious SWF file to successfully exploit the issues. Adobe recommends that developers exercise caution when receiving unsolicited or suspicious SWF files. These issues do not affect Flash CS4 Professional. These issues do not affect the Mac version of Flash CS3 Professional.

* Image source: annia316’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]