Sunday, December 23, 2007

extra, extra, Flash Player critical update!

Man, with these Holidays I completely forgot to post this one...
On Dec 18 Adobe released a Security bulletin entitled "Flash Player update available to address security vulnerabilities" which pretty much affects all the major running players in the wild. There's an update and a Flash Payer 7 "patch" for those who can't update. In the big slow moving enterprise intranets patches are received far better than updates :P
So what's up with that little pluginish thing you already have installed and you use to watch YouTube and fancy online experiences?
Well it seems that he's not feeling too peachy in this otherwise joyful and merry time of the year. Multiple input validation errors, DNS rebinding attack aid, privilege escalation attacks against web servers hosting, potential cross-site scripting issues, potential Universal Cross-Site Scripting attacks, HTTP Request Splitting attacks, potential port-scanning issue, Linux memory permissions issue that could lead to privilege escalation. And some Opera on Mac related bug note that made me navigate in a circle in my quest for more details.
Nice list...
Only fair thing to say here is that all these problems are tightly related to the fact that the player runs in the browser, talks and listents to the browser and also because it has to be so darn great at playing rich content from more than one web location.

Also "Adobe is retiring support of Adobe Flash Player 7". Guess I should add an "Your Flash Player version is no longer officially supported" line to my flash detection routine. Or better a quizy like
"Did you know that your Flash Player version is no longer officially supported?"
to make it more fun. With the choices:
  1. "Yes"
  2. "No"
  3. "No, but I didn't know that I have Flash Player installed either. So what is Flash anyway?"
And check out the Acknowledgments!
They forgot Santa though. The big thanks should go to him for lending a shoulder in the general PR effort to soften the impact of these otherwise not so good news...
So what can you do?
Update obviously!
And as a developer you should also read this article. I haven't got to page 13 so you're on your own. But I would skip it. They should jump straight from 12 to 14 when it comes to articles on such sensitive subjects as security :D

Merry Christmas to you all!
Peace to the World!


Post a Comment

<< Home