Adobe Patches Two Zero-Day Vulnerabilities in Flash Player

Adobe Releases Security Updates for Flash Player, Acrobat, Reader, Shockwave Player

Adobe has released security updates for Flash Player, Reader, Acrobat and Shockwave Player. The most important of these updates fixes two Flash Player zero-day vulnerabilities identified by researchers in the Hacking Team leak.

The Flash Player zero-day bugs, CVE-2015-5122 and CVE-2015-5123, were reported to Adobe by Dhanesh Kizhakkinan of FireEye, respectively Peter Pi of Trend Micro and the researcher known as “slipstream/RoL.” These use-after-free (UAF) vulnerabilities affect Flash Player 18.0.0.204 and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems.

Adobe has patched the flaws with the release of Flash Player 18.0.0.209. Google has updated Chrome and Microsoft has updated Internet Explorer to ensure that users are protected against potential attacks exploiting these vulnerabilities.

The exploit for CVE-2015-5122 has been integrated into several exploit kits before Adobe released the patch, including Angler, RIG, Neutrino and Nuclear Pack.

A total of three Flash Player zero-days have been uncovered by experts in the Hacking Team leak. Adobe released a patch for the first zero-day (CVE-2015-5119) shortly after the bug’s existence came to light.

Mozilla announced recently that all versions of the Flash Player plugin have been disabled by default in Firefox until Adobe releases an update to patch the vulnerabilities.

The latest series of security holes has once again prompted experts to warn users about the risks associated with the use of Flash Player. Facebook’s recently appointed CSO, Alex Stamos, said “it is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” Stamos wrote on Twitter.

In a blog post coinciding with the release of the security updates, Adobe said the company is actively working on improving Flash Player security.

“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered,” Adobe said. “We continue to partner with browser vendors to both improve Flash Player security as well as invest in, contribute to and support more modern technologies such as HTML5 and JavaScript.”

Security updates for Adobe Reader, Acrobat and Shockwave Player

Adobe has also released patches for Reader and Acrobat. The latest versions address a total of 46 vulnerabilities, including denial-of-service (DoS), arbitrary code execution, information disclosure, and restriction bypass flaws.

Independent researchers and experts from HP’s Zero Day Initiative, Cure53.de, MWR Labs, Google Project Zero, the Alibaba Security Research Team, Minded Security, and the Nanyang Technological University have been credited for reporting these vulnerabilities.

As for Shockwave Player, Adobe has addressed two critical memory corruption vulnerabilities (CVE-2015-5120, CVE-2015-5121) identified by researchers at Fortinet. The flaws can be exploited for arbitrary code execution.

Adobe says it’s not aware of exploits targeting any of these vulnerabilities.