updated 11:05 am EDT, Thu April 10, 2008
Adobe fixes Flash exploit
Adobe has released an update for its ubiquitous Flash Player, addressing a critical security vulnerability. The v220.127.116.11 patch specifically targets an exploit related to Shockwave (SWF) files; in order to be affected, a user must load a malicious SWF file within Flash Player, which in turn gives hackers the ability to run authorized code on a computer. The vulnerability exists in Flash Player versions 18.104.22.168 and 22.214.171.124, and all prior incarnations. The update is available for all operating systems supported by Flash and browsers including Firefox, Opera and more.
Contained in the fix is a new feature, called cross-domain policy check. The Flash Player uses policy files to grab content from other domains, but although this enables advanced functions, it is possible for hackers to create their own policy files. If these files receive acceptance from the appropriate server, SWF files can then be used to load content from outside an official server's domain.