Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches 17 Flaws in Flash Player

Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.

Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.

Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.

Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.

One of the fixed issues is a type confusion flaw (CVE-2015-7659) that can be leveraged for arbitrary code execution. The updates also resolve a security bypass vulnerability (CVE-2015-7662) that allows malicious actors to write arbitrary data to the file system with the targeted user’s permissions.

A total of 15 use-after-free flaws that could result in arbitrary code execution have also been patched in the latest version of Flash Player. The following CVE identifiers have been assigned to these issues: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044 and CVE-2015-8046.

The security bypass flaw was reported to Adobe by Jordan Rabet, while the memory corruption vulnerabilities were discovered by Natalie Silvanovich of Google Project Zero, Kenneth Fitch and Aaron Lamb of Endgame, an anonymous researcher, and “Bilou” via the Zero Day Initiative (ZDI).

The vulnerabilities have also been patched in Adobe AIR with the release of version 19.0.0.241.

Adobe says it’s not aware of any in-the-wild exploits targeting these security holes.

Advertisement. Scroll to continue reading.

A report released this week by threat intelligence company Recorded Future showed that eight of the top ten vulnerabilities used by exploit kits in 2015 affected Flash Player. The company’s report is based on the analysis of more than 100 exploit kits.

“While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment,” Recorded Future said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.