Adobe Flash Player 15.0.0.152, released on Tuesday, addresses a total of 12 security vulnerabilities, many of which could be exploited for code execution.
The flaws affect Flash Player 14.0.0.179 and earlier versions for Windows and Mac, Flash Player 13.0.0.241 and earlier 13.x versions, and Flash Player 11.2.202.400 and earlier versions for Linux.
The vulnerabilities fixed with this latest update have been assigned the CVE identifiers: CVE-2014-0547, CVE-2014-0548, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0553, CVE-2014-0554, CVE-2014-0555, CVE-2014-0556, CVE-2014-0557 and CVE-2014-0559.
CVE-2014-0557 is a memory leakage vulnerability that can be exploited to bypass memory address randomization. CVE-2014-0554 is a security bypass issue, and CVE-2014-0553 is a use-after-free flaw that could be leveraged for arbitrary code execution. Other vulnerabilities that could lead to code execution are the heap buffer overflows that have been assigned CVE-2014-0556 and CVE-2014-0559.
CVE-2014-0548 is a flaw that can be exploited to bypass the same origin policy. The rest of the issues addressed in Flash Player 15 are memory corruption issues that could lead to code execution.
Eight of the vulnerabilities have been reported to Adobe by Chris Evans of Google Project Zero, Michal Zalewski of the Google Security Team also being credited for one of them. Other researchers who have contributed to making Flash Player more secure are Masato Kinugawa, Liu Jincheng and Wen Guanxing from Venustech ADLAB, Bas Venis, and Lucas Leong of Trend Micro.
Most of the Flash Player updates have been rated as critical, which indicates that they address vulnerabilities that are being exploited, or ones that have a high risk of being exploited in the wild.
Adobe has also released version 15 of the cross-platform run-time system Adobe Integrated Runtime (Adobe AIR). The company is advising Adobe AIR desktop runtime, SDK, and SDK and Compiler customers to update their installations to version 15.0.0.249. Adobe AIR for Android users should update to version 15.0.0.252.
Adobe Reader and Acrobat security updates will be released only next week. They were originally set to be released on Tuesday, but the company was forced to reschedule them due to some issues identified during routine regression testing.
On the other hand, Microsoft patched its products as planned. The company has addressed a total of 42 vulnerabilities affecting Windows, Internet Explorer, the .NET framework, and Lync Server.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
