Adobe Systems Inc. rolled out a Flash Player security update, fixing seven serious vulnerabilities in the ubiquitous application, while adding support for a protection feature designed to safeguard users from
Adobe said in its advisory that the latest version, Flash Player 11.3, fixes flaws that could cause a crash and potentially allow an attacker to take control of the affected system.The update is available for users of Windows, Mac, Linux and Google Android platforms. Adobe AIR patches are also available for Adobe Air running on Windows, Mac and Android.
Sandboxing protection for Mac, Firefox users
Adobe is adding Protected Mode support for users of its Flash Player component in Mozilla Firefox. Protected Mode adds a container to Firefox, isolating it from accessing sensitive resources. The protection makes it difficult for attackers to use Flash Player to gain access to a user’s system. Users have been testing the beta version of Flash Player sandboxing support for Firefox since February. The software maker also produces a sandbox version of Flash Player for the Chrome browser.
Security researchers have demonstrated that sandboxing isn’t a silver bullet. If an attacker attempts to exploit a vulnerability in Flash Player on Firefox, they would then have to design a second attack to attempt to break out of the sandbox and onto the victim’s machine.
“Flash Player Protected Mode for Firefox is another step in our efforts to raise the cost for attackers seeking to leverage a Flash Player bug in a working exploit that harms end users,” said Brad Arkin, senior director of product security and privacy in a blog post describing the new Flash Player protection.
Adobe also added support for a feature added to Mac OS X Mountain Lion called Gatekeeper, which can check for signs that an attacker is tampering with Flash Player. Arkin said the support for Gatekeeper ensures users aren’t downloading a phishing link containing a malicious version of Flash Player. The new auto update feature support for Mac users’ checks for updates hourly. The background updater can download and install the update without interrupting the end user’s session with a prompt,” Arkin wrote.