Adobe Flash Player 15.0.0.152, released on Tuesday, addresses a total of 12 security vulnerabilities, many of which could be exploited for code execution.
The flaws affect Flash Player 14.0.0.179 and earlier versions for Windows and Mac, Flash Player 13.0.0.241 and earlier 13.x versions, and Flash Player 11.2.202.400 and earlier versions for Linux.
The vulnerabilities fixed with this latest update have been assigned the CVE identifiers: CVE-2014-0547, CVE-2014-0548, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0553, CVE-2014-0554, CVE-2014-0555, CVE-2014-0556, CVE-2014-0557 and CVE-2014-0559.
CVE-2014-0557 is a memory leakage vulnerability that can be exploited to bypass memory address randomization. CVE-2014-0554 is a security bypass issue, and CVE-2014-0553 is a use-after-free flaw that could be leveraged for arbitrary code execution. Other vulnerabilities that could lead to code execution are the heap buffer overflows that have been assigned CVE-2014-0556 and CVE-2014-0559.
CVE-2014-0548 is a flaw that can be exploited to bypass the same origin policy. The rest of the issues addressed in Flash Player 15 are memory corruption issues that could lead to code execution.
Eight of the vulnerabilities have been reported to Adobe by Chris Evans of Google Project Zero, Michal Zalewski of the Google Security Team also being credited for one of them. Other researchers who have contributed to making Flash Player more secure are Masato Kinugawa, Liu Jincheng and Wen Guanxing from Venustech ADLAB, Bas Venis, and Lucas Leong of Trend Micro.
Most of the Flash Player updates have been rated as critical, which indicates that they address vulnerabilities that are being exploited, or ones that have a high risk of being exploited in the wild.
Adobe has also released version 15 of the cross-platform run-time system Adobe Integrated Runtime (Adobe AIR). The company is advising Adobe AIR desktop runtime, SDK, and SDK and Compiler customers to update their installations to version 15.0.0.249. Adobe AIR for Android users should update to version 15.0.0.252.
Adobe Reader and Acrobat security updates will be released only next week. They were originally set to be released on Tuesday, but the company was forced to reschedule them due to some issues identified during routine regression testing.
On the other hand, Microsoft patched its products as planned. The company has addressed a total of 42 vulnerabilities affecting Windows, Internet Explorer, the .NET framework, and Lync Server.
