Adobe released a regularly-scheduled update for Flash Player addressing four critical vulnerabilities on Tuesday.
The patch addressed four critical vulnerabilities which affects Flash for Windows, Mac OS X, Linux, and older versions of Android, as well as Adobe AIR, Adobe said in its security bulletin. The vulnerabilities—integer overflow, use-after-free, memory corruption, and a heap buffer overflow—if exploited, could cause a crash and potentially allow the attacker to take control of the affected system, Adobe said.
Adobe credited members of the Google Security Team for reporting the heap buffer overflow and memory corruption vulnerabilities. The integer overflow bug came via an anonymous tip through iDefense’s Vulnerability Contributor Program, and Attila Suszter found the use-after-free flaw.
“Adobe is not aware of any exploits or attacks in the wild for any of the issues addressed in this update,” the company said in the advisory.
Affected platforms include Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. Users running Adobe AIR 3.6.0.597 and earlier on Windows and Mac OS X, the 3.6.0.597 SDK and AIR 3.6.0.599 SDL and Compiler, and AIR 3.6.0.597 for Android should also update the software, according to the advisory.
The Windows and Mac OS X patches are available from Adobe’s Flash Player Download Center. Google will push out an update for its Chrome Web browser with the fixed Flash Player and Microsoft will address the integrated Flash in Internet Explorer 10 for Windows 8. Android users should go to either Google Play or Amazon Marketplace for the latest updates.
The Flash update for Windows has an overall priority of 1, which means the vulnerabilities have a higher risk of being targeted and should be patched within 7 hours. Mac OS X is ranked 2, meaning there is “elevated risk” but exploits are not imminent.
Adobe recommends installing the update within 30 days. The Flash updates for Linux and Android as well as the AIR update for Windows and Mac OS X are rated 3 so administrators should “install the update at their discretion,” according to Adobe.
Adobe released the bulletins hours before Microsoft is scheduled to release seven bulletins addressing vulnerabilities in Microsoft Silverlight, Internet Explorer, Microsoft Office, Microsoft Server Software, and Microsoft Windows for the March Patch Tuesday release.
