We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Emergency Patches Pushed for Flash, PHP

The Adobe fix aims to cure a vulnerability in all versions of the player

Adobe pushed an emergency patch Friday for its Flash Player to fix a flaw that's being actively exploited to attack computers running Windows.

Meanwhile, software writers are still scrambling to fix a vulnerability, made public earlier this week, in PHP, a scripting language which is used widely to run servers on the Web, including those of Facebook.

The Adobe fix aims to cure an "object confusion vulnerability" discovered in all versions of the player -- Windows, Macintosh, Linux, and Android -- but thus far has only been used to attack Windows systems using Microsoft's browser software, Internet Explorer, according to a company bulletin on the subject.

When exploited, the defect could crash Flash Player and allow an attacker to take control of your computer.

Malware exploiting the vulnerability is being delivered in email messages containing an attachment. The email, though, is highly targeted, which means it's directed at a limited number of individuals.

Adobe's PDF file format has become a popular vehicle in recent times for delivering a malicious payload to a computer, according to John Harrison, a group product manager at Symantec. "The malicious attachments that are coming these days don't include executables; they're a PDF or [Microsoft] Office document," he told PCWorld.

"Today," he adds, "PDFs are inherently more dangerous, in my opinion, than executables because you're lulled into thinking you're just looking at a document that has some text. You may be reading some text, but behind the scenes it's really doing whatever an attacker wants."

Adobe recommends that Windows, Macintosh and Linux users of Flash Player 11.2.202.233 or earlier, upgrade to the latest version of the program immediately.

The same should be done by users of Android 4.x using Flash Player 11.1.115.7 and Android 2.x and 3.x using version 11.1.111.8 of the software.

If you're not sure what version of Flash Player you're running, Adobe has a website that will automatically give you that information when you visit it.

Users of Google's Chrome browser don't have to worry about upgrading their Flash Players because updates are pushed to that software behind the scenes automatically.

Of course, devices running Apple's mobile operating system, iOS, don't have to worry about the Flash flaw either because their devices don't run Flash.

Earlier in the week, a security flaw in the PHP scripting language, which the researchers at Eindbazen had been sitting on for months, was accidently published to the Internet. According to the researchers "someone" mistakenly marked an internal document on the bug "public" and posted it to Reddit.

The flaw, which affects servers configured to run in CGI mode, could be exploited to expose the source code of applications at a website or to enable the execution of a hacker's code at the site.

The revelation prodded the PHP Group to push a fix out immediately. Problem was, the fix contained a bug that made the remedy practically ineffective.

That's not the first time that's happened. When the group fixed a hash collision vulnerability in PHP in January, they introduced a bug that could be exploited by attackers to execute arbitrary code at a site.

Eindbazen has posted some alternatives for dealing with the PHP bug until a permanent fix is available.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia