Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches 17 Flaws in Flash Player

Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.

Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.

Adobe has released Flash Player updates to address a total of 17 vulnerabilities, many of which can be exploited for arbitrary code execution.

Flash Player 19.0.0.245 for Windows, Mac OS X, and the Chrome and Internet Explorer web browsers fix a series of critical security holes that could allow an attacker to take control of vulnerable systems.

One of the fixed issues is a type confusion flaw (CVE-2015-7659) that can be leveraged for arbitrary code execution. The updates also resolve a security bypass vulnerability (CVE-2015-7662) that allows malicious actors to write arbitrary data to the file system with the targeted user’s permissions.

A total of 15 use-after-free flaws that could result in arbitrary code execution have also been patched in the latest version of Flash Player. The following CVE identifiers have been assigned to these issues: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044 and CVE-2015-8046.

The security bypass flaw was reported to Adobe by Jordan Rabet, while the memory corruption vulnerabilities were discovered by Natalie Silvanovich of Google Project Zero, Kenneth Fitch and Aaron Lamb of Endgame, an anonymous researcher, and “Bilou” via the Zero Day Initiative (ZDI).

The vulnerabilities have also been patched in Adobe AIR with the release of version 19.0.0.241.

Adobe says it’s not aware of any in-the-wild exploits targeting these security holes.

A report released this week by threat intelligence company Recorded Future showed that eight of the top ten vulnerabilities used by exploit kits in 2015 affected Flash Player. The company’s report is based on the analysis of more than 100 exploit kits.

Advertisement. Scroll to continue reading.

“While each organization needs to decide for itself if installing the steady stream of Adobe Flash updates is feasible, steps can be taken as a stop-gap to Adobe exploits. This includes enabling ‘Click to Play’ which provides a check on use of Adobe Flash Player in an unknown environment,” Recorded Future said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.