Date: Wednesday, July 9th, 2014, 11:43
Category: News, security, Software
Even if you’re not crazy about Adobe Flash Player these days, there’s a better reason than usual to upgrade to the new version.
Per AppleInsider and Adobe, a well-known vulnerability in Adobe’s Flash player that could allow malicious users to steal browser data — including cookies — on Macs, PCs, and Linux machines has been exploited for the first time. As such, Adobe has issued a patch and urged users to upgrade their system as soon as possible.
The company says that Flash Player versions 126.96.36.199 and earlier for Mac and Windows and version 188.8.131.528 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 184.108.40.206 while Linux users should update to version 220.127.116.114.
The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.
In addition to the end-user mitigation, website owners can patch the vulnerability — assigned CVE identifier CVE-2014-4671 — on their end with one of a number of fixes identified by Spagnuolo.
Users can check the version of Flash installed on their system by visiting Adobe’s About Flash Player page or right-clicking on Flash content in their browser and choosing “About Adobe (or Macromedia) Flash Player” from the contextual menu or download the update directly from Adobe’s web site.