Adobe patches critical Flash bugs, ships sandboxed plug-in for Firefox

Also delivers silent updater for OS X, readies Flash for Mountain Lion

Adobe today patched seven critical vulnerabilities in Flash Player -- the fifth security update so far in 2012 -- and released a sandboxed plug-in for Mozilla's Firefox.

The company also released the "silent update" tool for OS X, and said it had prepped Flash for the upcoming OS X 10.8, aka Mountain Lion, by signing its code, a requirement if users are to install software downloaded from sources other than Apple's own Mac App Store.

"These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system," said Adobe in an advisory published Friday.

The flaws were all over the map, and included memory corruption, integer and stack overflow, and security bypass bugs. One of the seven was tagged as a "binary planting" vulnerability in the Flash installer.

"Binary planting" is a synonym for what others call "DLL load hijacking," a bug class first uncovered nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit.

Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.

Unlike the last Flash security update, which Adobe issued May 4, today's bug patches are for vulnerabilities that the company has not seen exploited in the wild.

Among those Adobe credited for reporting the vulnerabilities was a researcher from the Google Chrome team, another from Symantec and two engineers who work for Microsoft.

Microsoft and Adobe have been working even closer than usual of late: Last week, Microsoft announced that it had, with Adobe's help, integrated Flash Player into the Metro version of Internet Explorer 10 (IE10).

That move seemed to contradict Microsoft's earlier promise that it would not allow plug-ins -- Flash Player is probably the most widely-used browser plug-in on the planet -- in IE10 on Metro, the new tablet-oriented user interface (UI) within Windows 8 and the sole mode on Windows RT.

Also included in Flash Player 11.3 was a sandboxed plug-in for Firefox and the promised silent update tool for OS X users.

Adobe first talked about sandboxing Flash for Firefox in February, when it released a beta version of the plug-in for that browser on Windows Vista and Windows 7.

The new Flash Player silent updater for OS X is set to automatically install future updates in the background.

A sandbox isolates processes on the computer, preventing, or at least hindering, hackers trying to exploit an unpatched vulnerability, escalate privileges and push malware onto the machine.

Adobe first sandboxed Flash Player for Google's Chrome in late 2010 after working with Google engineers; the sandboxed plug-in for Firefox came after similar cooperation from Mozilla engineers, Adobe said several months ago.

The Mac background updater debuted just over a month ago in a beta version of Flash Player 11.3, but went final today. The tool is identical to the Windows version, which Adobe launched in March: It pings Adobe's servers every hour until it gets a response. If it reaches Adobe and finds no ready update, the tool re-checks the servers 24 hours later. Found updates, however, are applied entirely in the background, and do not display notices on the screen or require the user to take any action.

By default, Flash 11.3 has silent updates switched on for OS X users, but they can change the setting to continue to receive on-screen alerts, or more dangerously, decline all updates.

Adobe has also prepared Flash Player for the release of Apple's next desktop operating system, Mountain Lion.

Mountain Lion includes a new feature called Gatekeeper that by default will let users install only software downloaded from the Mac App Store -- the Apple-curated market that debuted in January 2011 -- or signed with certificates Apple provides free-of-charge to registered developers.

Gatekeeper is Apple's reaction to last year's spread of the Mac Defender malware, which was tucked into fake security software: Gatekeeper will prevent such "scareware" from ending up on Macs.

"Starting with Flash Player 11.3, Adobe has started signing releases for Mac OS X using an Apple Developer ID certificate," said Brad Arkin, Adobe's senior director of security, products and services, on a company blog today. "Therefore, if the Gatekeeper setting is set to 'Mac App Store and identified developers,' end-users will be able to install Flash Player without being blocked."

Because Flash is not distributed through Apple's desktop app market, if users set Gatekeeper to the most restrictive option -- "Mac App Store" -- they won't be able to install or update Flash Player.

Flash Player was upgraded Friday to version 11.3 for Windows and OS X, to 11.2 for Linux and to 11.1 for Android. As of 3 p.m. ET, Google had yet to update Chrome, which includes its own version of Flash, to gives its users the patched edition.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place