Apple, Adobe Patch Serious Security Flaws

/ Source: SecurityNewsDaily

Adobe and Apple rolled out major patches to their products yesterday (Nov. 10), including security fixes for iPhones and iPads and less glamorous, but no less important, patches for Adobe AIR and Flash Player.

Apple's iOS 5.0.1, rolled out almost a month after the major upgrade to iOS 5, fixes the iPad 2 SmartCover password workaround revealed a few weeks ago, as well as the much more serious operating-system flaw discovered by independent Apple researcher Charlie Miller.

Miller proved earlier this week that a hacker could get a malicious app into Apple's famously secure iTunes App Store. He disclosed the vulnerability to Apple three weeks ago, but did not tell the company he'd also put it into an official iTunes app.

For his trouble, Miller was kicked out of Apple's developer program and told he couldn't re-enter it for a year. Apple did at least give him credit for discovering the flaw in its software-update bulletin.

The iOS 5.0.1 update also claims to fix a battery-life problem with the iPhone 4S (though results have been mixed ), and revokes digital certificates of authenticity issued by a trouble Malaysian firm.

The Apple update can be downloaded over-the-air for devices with a cellular data plan. Owners of iPod Touch's and Wi-Fi-only iPads will probably need to connect their devices to a computer running iTunes.

Adobe's updates are more crucial. The patch for Adobe Flash Player, the browser plug-in software that powers YouTube videos as well as countless online games and animations, fixes a flaw that "could cause a crash and potentially allow an attacker to take control of the affected system."

The Flash Player vulnerability affects all browsers versions of Windows, Mac OS X, Android, Linux and Solaris. (Thanks to Steve Jobs, Apple mobile devices don't run Flash Player.) Users of Internet Explorer will need to download a special Flash Player patch, while Google Chrome will update it automatically. You can get the patch here.

Adobe is also patching AIR, its platform for complex stand alone Web-directed applications, such as TweetDeck. Windows, Mac OS X and Android users need to install that patch, which can be downloaded here.