Adobe announced on Monday the availability of updates for Flash Player. The latest version of the software patches a total of 23 vulnerabilities, including flaws that can be exploited for arbitrary code execution.
The list of vulnerabilities patched with the release of Flash Player 19.0.0.185 for Windows and Mac and Flash Player 11.2.202.521 for Linux includes information disclosure, security bypass, memory leak, type confusion, use-after-free, buffer overflow, stack corruption, and other memory corruption flaws.
“These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.
The latest Flash Player also includes additional validation checks to ensure that malicious content from vulnerable JSONP callback APIs is rejected, and improvements to a mitigation mechanism designed to provide protection against vector length corruptions.
Adobe says it hasn’t found any evidence to suggest that these vulnerabilities have been exploited in the wild.
Independent researchers and experts from companies such as Google, Alibaba, Tencent, AddReality, and Qihoo360 have been credited for reporting these security holes.
Flash Player has also been updated in Google Chrome, Microsoft Edge on Windows 10, Internet Explorer 10 and 11, and Adobe AIR.
However, security blogger Brian Krebs has pointed out that while Adobe regularly releases security updates for Shockwave, the version of a Flash component bundled with the multimedia product is very old.
Krebs has pointed out that the Flash version included in the Shockwave Player update released two weeks ago is 16.0.0.305. This version of Flash, released in February 2015, is plagued by a total of 155 vulnerabilities, some of which have been exploited in the wild.
Adobe told SecurityWeek that Flash will be updated in the Shockwave bundle in a forthcoming Shockwave release. The company says it’s also currently reviewing the Shockwave patch cycle.
Despite the fact that many developers and security professionals have called for the end of Flash Player, Adobe seems determined to keep the software alive. The company has been working to make the application more difficult to exploit and it has even received assistance from Google researchers in achieving this goal.
*Updated with information from Adobe regarding the Flash component in Shockwave
