Adobe Fixes Critical Flash Hole

Monday, March 16, 2015 @ 02:03 PM gHale


Flash Player is going through another series of security updates as Adobe released a patch for 11 serious vulnerabilities.

Eleven critical flaws were in Flash Player 16.0.0.305 and earlier versions for Mac and Windows, and Flash Player 11.2.202.442 and earlier 11.x Linux versions. The vulnerabilities can end up exploited to take control of impacted systems, Adobe said.

RELATED STORIES
Adobe Fixes Flash Zero Day
IE Hole Allows Attackers to Phish
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report

The list of security bugs includes four memory corruption flaws that can end up leveraged for arbitrary code execution (CVE-2015-0332, CVE-2015-0333, CVE-2015-0335, CVE-2015-0339). The issues have been identified and reported by Mark Brand and Chris Evans of Google Project Zero, Yuki Chen and Xiaoning Li of Intel Labs, and Haifei Li of McAfee Labs.

Other vulnerabilities that could lead to arbitrary code execution are a couple of type confusions (CVE-2015-0334, CVE-2015-0336) reported by Google Project Zero affiliate Natalie Silvanovich, an integer overflow (CVE-2015-0338), and two use-after-free bugs (CVE-2015-0341, CVE-2015-0342) identified by the researcher “bilou” and Jihui Lu of KeenTeam.

Soroush Dalili of NCC Group identified a cross-domain policy bypass (CVE-2015-0337) and a file upload restriction bypass flaw (CVE-2015-0340).

There is no indication any of these vulnerabilities are seeing active exploits against them, but the “priority 1” rating means they have a higher risk of being a target.

Windows and Mac users should update their installations to Flash Player version 17.0.0.134. The latest Linux version is 11.2.202.451. Flash Player installed with Chrome and Internet Explorer will get an automatic update.



Leave a Reply

You must be logged in to post a comment.