Adobe Patches Critical Vulnerabilities In Flash Player

Adobe on Tuesday released updates that address multiple security vulnerabilities across various versions of Adobe Flash Player running on Windows, Macintosh, Linux, and Android.

The security updates address critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system, though Adobe said it is not aware of any exploits in the wild for any of the issues being patched as part of today’s release.

Just over a week ago, Adobe issued a set of patches to address more than 20 security issues in Adobe Reader, Shockwave and Flash. 

“Adobe just patched Flash on August 14th with APSB12-18 and releasing back to back updates does not bode well,” said Andrew Storms, nCircle’s director of security operations. “You have to ask yourself why these bug fixes were not included in last week’s release. The real head scratcher is timing, what is going on with the planning and release management program at Adobe to warrant this?”

“My interpretation is that last week’s release was an out-of-band emergency fix to address a specific vulnerability that was being abused in the wild and that could not be integrated with this bigger release,” opined Wolfgang Kandek, CTO of Qualys. “Last week’s release effectively pushed out the date for this bigger release, probably due to scheduling and resource conflicts.”

In Adobe’s security bulletin (APSB12-19) they recommend users update their product installations to the latest versions:

• Users of Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.4.402.265.

• Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.

• Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.3.31.230 for Windows and Linux, and Flash Player 11.4.402.265 for Macintosh.

• Users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.17.

• Users of Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.16.

• Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.

• Users of the Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2540 SDK.

• Users of the Adobe AIR 3.3.0.3650 and earlier versions for Android should update to the Adobe AIR 3.4.0.2540.

Affected Software versions

• Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems

• Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x

• Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x

• Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh

• Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions

• Adobe AIR 3.3.0.3650 and earlier versions for Android

Adobe credited several individuals for reporting issues addressed in the release, including Xu Liu of Fortinet’s FortiGuard Labs, Will Dormann of CERT, Honggang Ren of Fortinet’s FortiGuard Labs, Alexander Gavrun through iDefense’s Vulnerability Contributor Program, and Claudio Santambrogio of Opera Software.