Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Updates Flash Player to Fix 9 Vulnerabilities

Adobe released updates for Flash Player on Tuesday to address a total of 9 critical vulnerabilities, many of which can be exploited for arbitrary code execution.

Adobe released updates for Flash Player on Tuesday to address a total of 9 critical vulnerabilities, many of which can be exploited for arbitrary code execution.

Two of the security holes patched by Adobe were discovered and reported by Xiaoning Li of Intel Labs and Haifei Li of McAfee Labs’ IPS Team. One of the vulnerabilities is an improper file validation issue (CVE-2015-0301), and the second is a memory corruption that could lead to arbitrary code execution (CVE-2015-0306).

A similar memory corruption issue (CVE-2015-0303) was reported by Tavis Ormandy and Chris Evans, both of Google’s Project Zero. Evans and Fermin J. Serna of the Google Security Team also notified Adobe of a use-after-free flaw that can be leveraged for code execution (CVE-2015-0308).

Arbitrary code execution could also be carried out by exploiting a type confusion vulnerability (CVE-2015-0305) reported by Project Zero affiliate Natalie Silvanovich.

A researcher using the online moniker bilou has identified two flaws: a heap-based buffer overflow (CVE-2015-0304) reported via Verisign’s iDefense Vulnerability Contributor Program, and an out-of-bounds read vulnerability (CVE-2015-0307) reported through HP’s Zero Day Initiative (ZDI). The issues reported by bilou can be exploited for code execution and to leak memory addresses, respectively.

A heap-based buffer overflow flaw that could lead to code execution (CVE-2015-0309) was reported by Yang Dingning through the Chromium Vulnerability Rewards Program.

There is no evidence to suggest that any of these vulnerabilities have been exploited in the wild.

The flaws patched with the release of Adobe Flash Player 16.0.0.257 for Windows and Mac OS X affect version 16.0.0.235 and earlier. The Linux version of the application has been updated to 11.2.202.429. Flash Player 11.2.202.425 and earlier for Linux are impacted by the fixed security bugs. Adobe Flash Player Extended Support Release has been updated to version 13.0.0.260.

The Adobe Integrated Runtime (AIR) cross-platform run-time system, which uses Flash Player, has also been updated.

Google has updated the stable channel of the Chrome Web browser to version 39.0.2171.99. The release includes the Adobe Flash Player updates and various other fixes.

On Tuesday, Microsoft released a series of security updates to address several Windows vulnerabilities, including two privilege escalation bugs already disclosed by Google, and a flaw that has been exploited in targeted attacks. Microsoft is no longer providing advance notifications for the general public.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.