Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Two Zero-Day Vulnerabilities in Flash Player

Adobe Releases Security Updates for Flash Player, Acrobat, Reader, Shockwave Player

Adobe Releases Security Updates for Flash Player, Acrobat, Reader, Shockwave Player

Adobe has released security updates for Flash Player, Reader, Acrobat and Shockwave Player. The most important of these updates fixes two Flash Player zero-day vulnerabilities identified by researchers in the Hacking Team leak.

The Flash Player zero-day bugs, CVE-2015-5122 and CVE-2015-5123, were reported to Adobe by Dhanesh Kizhakkinan of FireEye, respectively Peter Pi of Trend Micro and the researcher known as “slipstream/RoL.” These use-after-free (UAF) vulnerabilities affect Flash Player 18.0.0.204 and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems.

Adobe has patched the flaws with the release of Flash Player 18.0.0.209. Google has updated Chrome and Microsoft has updated Internet Explorer to ensure that users are protected against potential attacks exploiting these vulnerabilities.

The exploit for CVE-2015-5122 has been integrated into several exploit kits before Adobe released the patch, including Angler, RIG, Neutrino and Nuclear Pack.

A total of three Flash Player zero-days have been uncovered by experts in the Hacking Team leak. Adobe released a patch for the first zero-day (CVE-2015-5119) shortly after the bug’s existence came to light.

Mozilla announced recently that all versions of the Flash Player plugin have been disabled by default in Firefox until Adobe releases an update to patch the vulnerabilities.

The latest series of security holes has once again prompted experts to warn users about the risks associated with the use of Flash Player. Facebook’s recently appointed CSO, Alex Stamos, said “it is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

Advertisement. Scroll to continue reading.

“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” Stamos wrote on Twitter.

In a blog post coinciding with the release of the security updates, Adobe said the company is actively working on improving Flash Player security.

“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered,” Adobe said. “We continue to partner with browser vendors to both improve Flash Player security as well as invest in, contribute to and support more modern technologies such as HTML5 and JavaScript.”

Security updates for Adobe Reader, Acrobat and Shockwave Player

Adobe has also released patches for Reader and Acrobat. The latest versions address a total of 46 vulnerabilities, including denial-of-service (DoS), arbitrary code execution, information disclosure, and restriction bypass flaws.

Independent researchers and experts from HP’s Zero Day Initiative, Cure53.de, MWR Labs, Google Project Zero, the Alibaba Security Research Team, Minded Security, and the Nanyang Technological University have been credited for reporting these vulnerabilities.

As for Shockwave Player, Adobe has addressed two critical memory corruption vulnerabilities (CVE-2015-5120, CVE-2015-5121) identified by researchers at Fortinet. The flaws can be exploited for arbitrary code execution.

Adobe says it’s not aware of exploits targeting any of these vulnerabilities.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.