Old versions of Adobe Flash Player, perhaps the most widely used software in the world, contain known bugs that are being actively exploited online. If you are using any version of Flash Player, other than the latest, you should update to version 9.0.124.0 as soon as possible.
Early reports from Symantec said the bug being exploited was a new one. Turns out this is not the case. On Thursday, Adobe said
"Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."
You can see which version of Flash Player is being used by your Web browser at the Adobe Flash tester page. You need to check every Web browser installed on your computer.
For instructions on updating Flash Player, see Time to update the Flash Player. Here's how. If you use the portable version of Firefox, see Portable Firefox and the Flash Player for instructions on updating Flash Player.
See a summary of all my Defensive Computing postings.
Adobe Systems CEO Shantanu Narayen said the company intends to bring its Flash Player to Apple's iPhone.
During a conference call to announce Adobe's first-quarter earnings on Tuesday, Narayen said Adobe "will work with Apple" to make sure that Flash applications can run on the iPhone.
Adobe CEO Shantanu Narayen
(Credit: Adobe Systems)Seeking Alpha has a transcript of a conference call. Narayen's comment on the iPhone was in response to a question about getting Flash ported to other devices. (Microsoft announced earlier this week that it has licensed Flash Lite so that Flash applications can run on Windows Mobile devices.)
According to Seeking Alpha, here's what Narayen had to say:
Well, you really believe that Flash is synonymous with the Internet, and frankly, anybody who wants to browse the Web and experience the Web's glory really needs Flash support.
We were very excited about the announcement from Windows Mobile--adoption of Flash on their devices--and the fact that we've shipped 0.5 billion devices now, non-PC devices. So we are also committed to bringing the Flash experience to the iPhone, and we will work with Apple.
We've evaluated the SDK. We can now start to develop the Flash player ourselves, and we think it benefits our joint customers. So we want to work with Apple to bring that capability to the device.
Whether and how Flash applications would run on Apple's iPhone has been an open question since the device's launch. Narayen's comments indicate that Adobe will be able to create a version of Flash Lite for the iPhone by using the iPhone software developers kit (SDK) which was released earlier this month.
Adobe executives have made clear their desire to have Web applications written with Flash, which run on a range of the mobile phones, to make their way to the iPhone.
But Apple has thus far not allowed it, apparently over concerns that Flash applications run too slowly.
During Apple's shareholder meeting in March, Apple CEO Steve Jobs said that full-blown Flash applications are "too slow to be useful" on the iPhone. He went on to say the mobile version of the Flash, called Flash Lite, is "not capable of being used with the Web."
Even after Jobs' comments about Flash and Flash Lite, Adobe touted the success of Flash Lite on other devices but still did not commit to bringing Flash applications to the iPhone.
Adobe Systems on Tuesday is expected to announce that it will dramatically cut the price of its server software for streaming video over the Web.
Flash Media Server 3, which is set for release in January, will now come in two versions. Flash Media Streaming Server will cost $995, and Flash Media Interactive Server will cost $4,500.
With the current version, Adobe sells its Media Server for between $4,500 and $45,000.
The company is lowering prices in response to customer requests, said Kevin Towes, product manager for Adobe Media Server. "What we've been hearing is that the cost of streaming video over progressive download is the barrier," he said.
The new server is also designed to cut the cost of deploying streaming video with the ability to better utilize a server's network card, he said. A typical media server with a 1-gigabit network card could serve about 2,000 people.
Also on Tuesday, Adobe is scheduled to release a version of its Flash Player that supports the high-definition video standard H.264.
Although Flash is widely used on the Internet for streaming video, it is facing growing competition from Microsoft and its Silverlight plug-in, which is going after the same digital media market.
Adobe Systems this week issued three critical security updates designed to address vulnerabilities in its Flash Player, according to a security advisory issued by the company.
Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.
Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory by Secunia. Attackers, as a result, can gain remote access to a user's system.
In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player with certain browsers. As a result, that could potentially lead to a leaking of key strokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.
Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.
Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.
Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.
- prev
- 1
- next
