Computerworld

Emergency Patches Pushed for Flash, PHP

The Adobe fix aims to cure a vulnerability in all versions of the player

Adobe pushed an emergency patch Friday for its Flash Player to fix a flaw that's being actively exploited to attack computers running Windows.

Meanwhile, software writers are still scrambling to fix a vulnerability, made public earlier this week, in PHP, a scripting language which is used widely to run servers on the Web, including those of Facebook.

The Adobe fix aims to cure an "object confusion vulnerability" discovered in all versions of the player -- Windows, Macintosh, Linux, and Android -- but thus far has only been used to attack Windows systems using Microsoft's browser software, Internet Explorer, according to a company bulletin on the subject.

When exploited, the defect could crash Flash Player and allow an attacker to take control of your computer.

Malware exploiting the vulnerability is being delivered in email messages containing an attachment. The email, though, is highly targeted, which means it's directed at a limited number of individuals.

Adobe's PDF file format has become a popular vehicle in recent times for delivering a malicious payload to a computer, according to John Harrison, a group product manager at Symantec. "The malicious attachments that are coming these days don't include executables; they're a PDF or [Microsoft] Office document," he told PCWorld.

"Today," he adds, "PDFs are inherently more dangerous, in my opinion, than executables because you're lulled into thinking you're just looking at a document that has some text. You may be reading some text, but behind the scenes it's really doing whatever an attacker wants."

Adobe recommends that Windows, Macintosh and Linux users of Flash Player 11.2.202.233 or earlier, upgrade to the latest version of the program immediately.

The same should be done by users of Android 4.x using Flash Player 11.1.115.7 and Android 2.x and 3.x using version 11.1.111.8 of the software.

If you're not sure what version of Flash Player you're running, Adobe has a website that will automatically give you that information when you visit it.

Users of Google's Chrome browser don't have to worry about upgrading their Flash Players because updates are pushed to that software behind the scenes automatically.

Of course, devices running Apple's mobile operating system, iOS, don't have to worry about the Flash flaw either because their devices don't run Flash.

Earlier in the week, a security flaw in the PHP scripting language, which the researchers at Eindbazen had been sitting on for months, was accidently published to the Internet. According to the researchers "someone" mistakenly marked an internal document on the bug "public" and posted it to Reddit.

The flaw, which affects servers configured to run in CGI mode, could be exploited to expose the source code of applications at a website or to enable the execution of a hacker's code at the site.

The revelation prodded the PHP Group to push a fix out immediately. Problem was, the fix contained a bug that made the remedy practically ineffective.

That's not the first time that's happened. When the group fixed a hash collision vulnerability in PHP in January, they introduced a bug that could be exploited by attackers to execute arbitrary code at a site.

Eindbazen has posted some alternatives for dealing with the PHP bug until a permanent fix is available.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.