We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Emergency Patches Pushed for Flash, PHP

The Adobe fix aims to cure a vulnerability in all versions of the player

Adobe pushed an emergency patch Friday for its Flash Player to fix a flaw that's being actively exploited to attack computers running Windows.

Meanwhile, software writers are still scrambling to fix a vulnerability, made public earlier this week, in PHP, a scripting language which is used widely to run servers on the Web, including those of Facebook.

The Adobe fix aims to cure an "object confusion vulnerability" discovered in all versions of the player -- Windows, Macintosh, Linux, and Android -- but thus far has only been used to attack Windows systems using Microsoft's browser software, Internet Explorer, according to a company bulletin on the subject.

When exploited, the defect could crash Flash Player and allow an attacker to take control of your computer.

Malware exploiting the vulnerability is being delivered in email messages containing an attachment. The email, though, is highly targeted, which means it's directed at a limited number of individuals.

Adobe's PDF file format has become a popular vehicle in recent times for delivering a malicious payload to a computer, according to John Harrison, a group product manager at Symantec. "The malicious attachments that are coming these days don't include executables; they're a PDF or [Microsoft] Office document," he told PCWorld.

"Today," he adds, "PDFs are inherently more dangerous, in my opinion, than executables because you're lulled into thinking you're just looking at a document that has some text. You may be reading some text, but behind the scenes it's really doing whatever an attacker wants."

Adobe recommends that Windows, Macintosh and Linux users of Flash Player or earlier, upgrade to the latest version of the program immediately.

The same should be done by users of Android 4.x using Flash Player and Android 2.x and 3.x using version of the software.

If you're not sure what version of Flash Player you're running, Adobe has a website that will automatically give you that information when you visit it.

Users of Google's Chrome browser don't have to worry about upgrading their Flash Players because updates are pushed to that software behind the scenes automatically.

Of course, devices running Apple's mobile operating system, iOS, don't have to worry about the Flash flaw either because their devices don't run Flash.

Earlier in the week, a security flaw in the PHP scripting language, which the researchers at Eindbazen had been sitting on for months, was accidently published to the Internet. According to the researchers "someone" mistakenly marked an internal document on the bug "public" and posted it to Reddit.

The flaw, which affects servers configured to run in CGI mode, could be exploited to expose the source code of applications at a website or to enable the execution of a hacker's code at the site.

The revelation prodded the PHP Group to push a fix out immediately. Problem was, the fix contained a bug that made the remedy practically ineffective.

That's not the first time that's happened. When the group fixed a hash collision vulnerability in PHP in January, they introduced a bug that could be exploited by attackers to execute arbitrary code at a site.

Eindbazen has posted some alternatives for dealing with the PHP bug until a permanent fix is available.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

IDG UK Sites

Acer Aspire R11 review: Hands-on with the 360 laptop and tablet convertible

IDG UK Sites

Apple Watch release day: Twitter reacts

IDG UK Sites

See how Framestore created a shape-shifting, oil and metal based creature for Shell

IDG UK Sites

Apple Watch buying guide, price list & where to buy today: Which Apple Watch model, size, material,?......