Adobe on Tuesday warned that multiple critical vulnerabilities in its Flash media player put users at risk, possibly from drive-by downloads, and urged all to update immediately to the patched 126.96.36.199 edition.
Microsoft also issued a security advisory Tuesday to tell customers of its Windows XP, Windows 98, and Windows Millennium operating systems -- all of which are bundled with a flawed edition of Flash -- to also update their players.
Security vendors quickly chimed in Wednesday. Danish vulnerability tracker Secunia, for example, labeled the threat as "highly critical," its second-highest warning rating.
Although Adobe didn't specify the bugs, nor give a total vulnerability count, its advisory indicated attackers would have to create a malformed .swf (Flash content file) and dupe a user into opening it.
"These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player," Adobe's advisory read.
Cupertino, Calif.-based Symantec was more specific in an alert to customers of its DeepSight Threat Management System. "Successful exploitation is said to allow for client-side execution of attacker-supplied code," Symantec's warning went. "There is a high probability that widespread exploitation could occur if a malicious .swf file were placed on a popular website.
"Apparently, no user-interaction is required to trigger the issue beyond browsing to a website with a Flash-enabled browser," continued Symantec.
Vulnerabilities that can be exploited against unsuspecting users who simply surf to a site are called "drive-by downloads," and have been attracting great attacker interest, especially after the wide success of a zero-day bug in Windows' processing of the Metafile (WMF) that was exploited using drive-bys in 2005 and into early 2006.
Most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, are Flash-enabled. Microsoft's advisory offered up several workarounds, including disabling the Flash ActiveX control or removing it entirely. The SANS Institute's Internet Storm Center told Firefox users that they may be able to block attacks with the popular AdBlock extension, which blocks all .swf files, though it warned "it's not necessary that the malware end in '.swf.'"
This is not the first Flash bug. The media player was patched as recently as November 2005 against a similar flaw. Two years before that, another critical vulnerability was uncovered.
For its part, Microsoft passed users to Adobe, telling customers to head to Adobe's Web site for guidance.
Microsoft was just as mum as Adobe about the problem's root causes, saying only that it knew of "recent security vulnerabilities in Flash." The Redmond, Wash.-based developer, however, discovered the bugs; Adobe thanked Microsoft for reporting the vulnerabilities.
Patched players for Windows, Mac, Linux, or Solaris can be downloaded from the Adobe site.