Software maker Adobe has released yet another security update for Adobe Flash (version 18.104.22.168), addressing a bug on Flash’s Matrix3D class that could be used to enable attackers to corrupt system memory, and (in theory) gain control of a system. The update applies across a broad range of Adobe’s Flash offerings, impacting Flash for Windows, Mac OS X, Linux, Solaris, and Android. Users can download and install the update for free from Adobe’s Web site; users who can’t update to Flash 11 can download a version of Flash Player 10 that fixes the same vulnerability. Android users should get new versions of Flash from the Android Market: folks with Android 3.x and 2.x devices should update to Flash Player 22.214.171.124; folks far enough ahead of the curve to have Android 4 Ice Cream Sandwich can grab Flash 126.96.36.199. Google Chrome users can get an update from Google Chrome Releases.
The vulnerability was discovered by Tavis Ormandy and Fermin Serna of Google’s security team. Adobe classifies the vulnerability as a “priority 2” in Adobe’s just-introduced three-level advisory system — think of it as a terror alert level without pretty colors. Priority 2 means that the vulnerability could be used to take control of a user’s computer or device, but there are no known exploits in the wild and Adobe doesn’t expect any are imminent. Adobe does recommend site administrators apply the patch within 30 days.
The Flash update also closes a second loophole in integer handling that Adobe classifies as an “information disclosure” problem.
The security update is the second Adobe has released in the last 20 days; the most recent release, on February 15, would have been a “priority 1” update on Adobe’s new scale, since it involved a zero-day exploit already being used by attackers.