Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.
Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.
One of the fixed issues is a type confusion flaw (CVE-2015-7659) that can be leveraged for arbitrary code execution. The updates also resolve a security bypass vulnerability (CVE-2015-7662) that allows malicious actors to write arbitrary data to the file system with the targeted user’s permissions.
A total of 15 use-after-free flaws that could result in arbitrary code execution have also been patched in the latest version of Flash Player. The following CVE identifiers have been assigned to these issues: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044 and CVE-2015-8046.
The security bypass flaw was reported to Adobe by Jordan Rabet, while the memory corruption vulnerabilities were discovered by Natalie Silvanovich of Google Project Zero, Kenneth Fitch and Aaron Lamb of Endgame, an anonymous researcher, and “Bilou” via the Zero Day Initiative (ZDI).
The vulnerabilities have also been patched in Adobe AIR with the release of version 19.0.0.241.
Adobe says it’s not aware of any in-the-wild exploits targeting these security holes.
A report released this week by threat intelligence company Recorded Future showed that eight of the top ten vulnerabilities used by exploit kits in 2015 affected Flash Player. The company’s report is based on the analysis of more than 100 exploit kits.
“While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment,” Recorded Future said.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
