Adobe fixes 25 critical security holes in its software

Filed Under: Adobe, Adobe Flash, Android, Featured, Google, Google Chrome, Internet Explorer, iOS, Microsoft, OS X, Vulnerability, Windows

Adobe patches 25 critical vulnerabilities Adobe released a security update for its software on Monday, including Flash Player, fixing 25 security holes. The updates affect Flash running on Windows, Apple Mac, Android and Linux systems.

In addition, Adobe AIR users on Windows, Mac OS X, Android and iOS are also advised to install an update.

In a security bulletin issued Monday, APSB12-22, Adobe said that the 25 security vulnerabilities were all “critical” and that those using affected versions of Flash Player or Adobe AIR should apply patches immediately.

The fixes cover 14 buffer overflow vulnerabilities and 11 memory corruption vulnerabilities. In each case, attackers could exploit the holes to run malicious code on vulnerable systems.

Both Microsoft and Google responded by releasing updates to their Web browsers that incorporated the Adobe patches.

plaster_on_fingerMicrosoft said its update fixes Adobe Flash Player running on Internet Explorer 10 on Windows 8 and urged its users to apply the fix immediately.

Microsoft’s decision to bundle Flash with Internet Explorer 10 has been controversial, with some security experts noting that it adds yet another layer of complexity to patching, with users having to wait for Redmond to release a fix, even if Adobe has already addressed the problem.

Google, which also bundles Flash with its Chrome browser, automatically updated browser installations to the latest version of Adobe Flash Player, releasing version 22.0.1229.92 for Windows, Mac and Linux.

In its advisory, Adobe gave top priority to Windows users running Flash player, encouraging them to upgrade to the latest version of Flash: 11.4.402.287. The company said that the patch for Windows was a “Priority 1” issue, meaning that it fixes vulnerabilities that are actively being targeted or may be targeted by attackers.

The company recommends Priority 1 issues be patched as soon as possible.

The patch was rated Priority 2 on the Mac OS X platform, meaning that the company does not know of any active exploits for the vulnerability on Mac OS X, but that unpatched systems are at “elevated risk.”

Vulnerabilities in Adobe’s products, including Flash and Reader, have been a top target of malicious hackers in recent years, perhaps a result of stiffer controls in Microsoft’s Windows operating system, as well as an increase in users consuming rich media using Adobe’s products.


finger image from Shutterstock.

, , , , , , , ,

You might like

9 Responses to Adobe fixes 25 critical security holes in its software

  1. Jon Fukumoto · 690 days ago

    Wait a second. Flash has never been and never will be on iOS devices.

    • Graham Cluley · 690 days ago

      I think the reference to iOS is in relation to updating Adobe Air. More details can be found in Adobe's advisory.

  2. nikki callaghan · 690 days ago

    I have an older version of Mac so can no longer update it. Is there anything I can do?

    • Andrew Ludgate · 690 days ago

      The best thing you can do is just disable the Flash plugin. Most sites fall back to javascript if Flash isn't available. If you have a site that requires Flash, run it in a dedicated web browser with Flash enabled for that specific site.

  3. Moo · 689 days ago

    I think my Chrome's way of "updating" was just to remove Flash altogether. It seems to be missing completely from my plugins list. Quite annoying. My Flash disappearing seems to coincide with this update. Worked fine a few days ago.

  4. Michael Keighley · 688 days ago

    Please note that, since this article was written, Chrome Stable has been updated AGAIN to v.22.0.1229.94 to fix a further security hole (NOT Flash-related)
    http://googlechromereleases.blogspot.co.uk/2012/1... refers.

    Auto update should take care of that for many/most.

  5. David Stokely · 688 days ago

    OK. . . Rah Rah for Adobe fixing 25 critical security holes, but 25 out of how many potential holes??? And I'm not picking on Adobe, but it seems like there is just an endless and I mean ENDLESS supply of holes to fix in all these browsers, applications, operating systems, routers, and on and on and on. . .

    Are we in this position because we are relatively speaking still in the infancy of the Internet, etc.? Will we someday speak of malware, trojans, viruses, only in a historical context? I guess I'm asking, in the overall picture, are we at all getting safer? It seems to me that depressingly we are going the other way. The bad things are getting more powerful, more malignant, and capable of doing terrible damage.

    In the beginning most often viruses would put a message on your desktop or caused something funny to happen to your computer. . . these days your hard drive can be wiped or encrypted. . . your bank account emptied, your identity stolen. . . potentially power plants shut down, electrical grids compromised. . . infrastructure destroyed the gates of dams opened via the Internet, automobiles stolen or disabled, medical devices pacemakers, insulin pumps for God's sake remotely turned to kill rather than heal . . . in many unexpected ways your life made miserable or ruined for a considerable time or even ended by this new modern day self-inflicted plague. . ..

    Looking to the future, maybe the distant future, will things ever be significantly better? Or will they continue to more likely, (in my opinion) deteriorate at an ever increasing rate as they are now????

    • njorl · 685 days ago

      Yes, it looks scary to me. I used to believe that exercising caution with e. mailed attachments was enough to keep my computer (and all that depends upon it) safe. Now, I think it's more a case of hoping I haven't browsed to a compromised, or innately malicious, web site.

      I can't understand how we have remained in this mess.

      Buffer overflow was recognised as a category of error a long time ago. (Perhaps, it's now half a century - someone will correct me!) Nowadays, "overflow" is the main auto-completion suggestion when you start typing "buffer" - in your mind, if not actually the word processor! A mass move to Object Orientated languages (which greatly facilitate reuse, to avoid the need to write "equivalent" pieces of code over and over) began in the early nineties. Why have software engineers continued knocking out overflowable buffers at such a prodigious rate?

  6. dav2 · 673 days ago

    I just wonder when Adobe will put out an update that prevents flashblock or adblock, under the guise of a security enhancement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.