Adobe has released security updates to fix seven vulnerabilities in its Flash and Air platforms and one in its Reader and Acrobat which, according to the company, is being exploited by attackers in wild "...in limited, isolated attacks targeting Adobe Reader users on Windows."
The vulnerabilities could allow an attacker to "take control of affected systems" marked critical by the company.
A new, out-of-band patch addresses a zero-day vulnerability (CVE-2014-0546) in Adobe Reader and Acrobat that offers an attacker the possibility to bypass sandbox protection and has been leveraged in "limited, isolated attacks" against Windows users.
"These updates resolve a sandbox bypass vulnerability that could be exploited to run native code with escalated privileges on Windows," Adobe warned.
The lone vulnerability in Adobe Acrobat and Reader was reported by Kaspersky Lab Global Research and Analysis Team director Costin Raiu and Vitaly Kamluk.
However, details of the vulnerability were not disclosed, but Raiu said in a blog post that exploits have been observed in a rare number of targeted attacks, and that it’s still important for everyone to patch as soon as possible.
“At the moment, we are not providing any details on these attacks as the investigation is still ongoing,” Raiu said. “Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.”
The Apple OS X versions of Acrobat and Reader are not vulnerable. Only Reader and Acrobat versions 11.0.07 and earlier for Windows are affected, according to the company.
The other security update patches seven vulnerabilities in Flash Player, most of which are rated critical by the company, but none of the Flash vulnerabilities are being exploited in the wild, Adobe said.
Five of the updates resolved memory leakage vulnerabilities that can be used to bypass memory address randomization. Rest two patches address a security bypass vulnerability and a use-after-free flaw that could allow an attacker to remotely execute code on the affected system.
The affected versions are as follow:
- Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh
- Adobe Flash Player 188.8.131.524 and earlier versions for Linux
- Adobe AIR 184.108.40.206 and earlier versions for Windows and Macintosh
- Adobe AIR 220.127.116.11 SDK and earlier versions
- Adobe AIR 18.104.22.168 SDK & Compiler and earlier versions
- Adobe AIR 22.214.171.124 and earlier versions for Android
The company urged its users to apply the updates within three days on Windows, Mac, and Linux platforms. Users may update Acrobat and Reader with the Help > Check for Updates menu option. Flash Player users may download the latest version from Adobe. Users of Internet Explorer and Google Chrome on Windows 8 and above will receive browser updates from those companies with fixed versions of their integrated Flash Player.
Microsoft has also rolled out nine security updates to address at least 37 security holes in Windows and related software, including Internet Explorer, Windows Media Center, One Note, SQL Server, and SharePoint.
The company has also made some important changes this month. Microsoft announced that it will soon begin blocking out-of-date ActiveX controls for Internet Explorer users, and will support only the latest versions of the .NET Framework and IE for each supported operating system.