Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches 23 Vulnerabilities in Flash Player

Adobe announced on Monday the availability of updates for Flash Player. The latest version of the software patches a total of 23 vulnerabilities, including flaws that can be exploited for arbitrary code execution.

Adobe announced on Monday the availability of updates for Flash Player. The latest version of the software patches a total of 23 vulnerabilities, including flaws that can be exploited for arbitrary code execution.

The list of vulnerabilities patched with the release of Flash Player 19.0.0.185 for Windows and Mac and Flash Player 11.2.202.521 for Linux includes information disclosure, security bypass, memory leak, type confusion, use-after-free, buffer overflow, stack corruption, and other memory corruption flaws.

“These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.

The latest Flash Player also includes additional validation checks to ensure that malicious content from vulnerable JSONP callback APIs is rejected, and improvements to a mitigation mechanism designed to provide protection against vector length corruptions.

Adobe says it hasn’t found any evidence to suggest that these vulnerabilities have been exploited in the wild.

Independent researchers and experts from companies such as Google, Alibaba, Tencent, AddReality, and Qihoo360 have been credited for reporting these security holes.

Flash Player has also been updated in Google Chrome, Microsoft Edge on Windows 10, Internet Explorer 10 and 11, and Adobe AIR.

However, security blogger Brian Krebs has pointed out that while Adobe regularly releases security updates for Shockwave, the version of a Flash component bundled with the multimedia product is very old.

Krebs has pointed out that the Flash version included in the Shockwave Player update released two weeks ago is 16.0.0.305. This version of Flash, released in February 2015, is plagued by a total of 155 vulnerabilities, some of which have been exploited in the wild.

Adobe told SecurityWeek that Flash will be updated in the Shockwave bundle in a forthcoming Shockwave release. The company says it’s also currently reviewing the Shockwave patch cycle.

Despite the fact that many developers and security professionals have called for the end of Flash Player, Adobe seems determined to keep the software alive. The company has been working to make the application more difficult to exploit and it has even received assistance from Google researchers in achieving this goal.

*Updated with information from Adobe regarding the Flash component in Shockwave

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.