Security Experts:

Adobe Patches 17 Flaws in Flash Player

Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.

Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.

One of the fixed issues is a type confusion flaw (CVE-2015-7659) that can be leveraged for arbitrary code execution. The updates also resolve a security bypass vulnerability (CVE-2015-7662) that allows malicious actors to write arbitrary data to the file system with the targeted user’s permissions.

A total of 15 use-after-free flaws that could result in arbitrary code execution have also been patched in the latest version of Flash Player. The following CVE identifiers have been assigned to these issues: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044 and CVE-2015-8046.

The security bypass flaw was reported to Adobe by Jordan Rabet, while the memory corruption vulnerabilities were discovered by Natalie Silvanovich of Google Project Zero, Kenneth Fitch and Aaron Lamb of Endgame, an anonymous researcher, and “Bilou” via the Zero Day Initiative (ZDI).

The vulnerabilities have also been patched in Adobe AIR with the release of version 19.0.0.241.

Adobe says it’s not aware of any in-the-wild exploits targeting these security holes.

A report released this week by threat intelligence company Recorded Future showed that eight of the top ten vulnerabilities used by exploit kits in 2015 affected Flash Player. The company’s report is based on the analysis of more than 100 exploit kits.

“While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment,” Recorded Future said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.