Adobe Systems Inc. updated its popular Flash Player to fix vulnerabilities that could allow an attacker to execute arbitrary code and gain control of a computer.
Flaws were discovered in version 10.0.12.36 of Flash Player and earlier. The update also affects AIR 1.5, Flash CS4 and CS3 Professional and Flex 3.
Affected users should upgrade to version 10.0.22.87. A patch was also released for Flash Player 9 to address users that cannot update to the latest version, Adobe said.
In its security advisory, Adobe said the update addresses five vulnerabilities in the player. Among the flaws is an input validation issue that could result in a denial-of-service attack. A potential clickjacking issue has also been patched as well as an issue with the Linux version of the Flash player that could result in privilege escalation.
A flaw was discovered by iDefense Labs, which issued an advisory Tuesday. iDefense researchers discovered an invalid object reference vulnerability in Flash Player that created an error when the player attempted to process Shockwave Flash files. The flaw could be exploited if a person browses to a website hosting malicious Shockwave Flash files, iDefense said.
"An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site," iDefense said in its advisory. "Utilizing various techniques, an attacker is able to reallocate and control the memory used by the destroyed object. This allows the attacker to subvert execution when a virtual function is called via the invalid reference."