Already under the gun for a critical hole in its ubiquitous Acrobat Reader, Adobe's security team has pushed out a fix for another serious vulnerability, this one in the company's Flash animation software. The remote code execution vulnerability has been confirmed in Flash for Windows and is believed to also affect versions that …
Yes, Flash 10 is vulnerable.
The link IS in the advisory that El Reg links to, but the iDefense advisory sucks royally.
"iDefense has confirmed the existence of this vulnerability in latest version of Flash Player, version 220.127.116.11. Previous versions may also be affected."
Well, that's not the latest version of Flash Player, not by a long mile. This marks down iDefense as an unreliable source for advisories in my book.
For IE 8
Running IE 8.0.7000 on the Win 7 beta I was unable to get Adobe's download page to install the new version (the ActiveX installation from their download page simply wouldn't start). WTG Adobe!
1) D/L the flash uninstaller from
and uninstall the old Flash ActiveX control. (IE 8 in its infinite wisdom offers no way to uninstall add-ons /rolleyes.)
2) D/L the update for Flash CS4 Pro from
unzip it and run the Flash ActiveX installer from the Release directory.
3) Curse the fact that you need to keep IE hanging around to check compatibility issues (/bitter laugh).
For once I'm glad...
...that I'm stuck using Flash 7 on a MIPS-based netbook.
Security through obscurity (and being a bit rubbish).
Flash? Just say NO ...
Most flash on web pages is used to cause continual annoyance that only makes it harder to read anything else that's on the screen.
Firefox and flashblock provides the answer. We don't see these annoyances in the first place.
Better still would be for web sites to implement proper NoFlash web pages which would make the whole web a more user-friendly place. Except in the rare cases where the flash actually performs a useful FUNCTION -- and that does not mean unnecessary emelishments or adverts.
"... The vulnerability is separate from a security bug in Adobe's Acrobat Reader program that is currently under attack."
Jeez! Does Adobe distribute anything (internet-facing) that's not "currently under attack"?
Hasn't been a problem for me
Although the proxy config lines below may have been a factor:
# =< Block Nasty Types >=======================================================