Adobe has rolled-out an update for its popular Flash Player software that patches a set of 11 critical security vulnerabilities in its program, most of which potentially allow hackers to remotely execute arbitrary code on vulnerable systems.
AFFECTED SOFTWARE
All versions prior to the latest version 17.0.0.134 of the Flash Player are affected on Windows and Mac OS X machines. Therefore, Adobe Flash Player installed with Google Chrome, as well as Internet Explorer 10 and 11 on Windows 8 and Windows 8.1, should automatically update to the newest version 17.0.0.134.
In addition, Adobe Flash Player 11.2.202.442 for Linux and Flash Player Extended Support Release 13.0.0.269 for Windows and Mac OS X are also affected by the vulnerabilities.
So, users of Flash Player on Linux should update to version 11.2.202.451 and Flash Player Extended Support Release on Windows and Mac are recommended to update to version 13.0.0.277.
So, users of Flash Player on Linux should update to version 11.2.202.451 and Flash Player Extended Support Release on Windows and Mac are recommended to update to version 13.0.0.277.
REMOTE CODE EXECUTION
Total 9 Remote Code Execution vulnerabilities patches are included in the latest Adobe Flash PLayer update. An attacker could serve a specially crafted Flash file to trigger the vulnerabilities, which would lead to the execution of attacker's code in order to take control of a target system.
Most of the vulnerabilities in Adobe Flash Player have been reported by security researchers from Google's Project Zero team. Other security companies that disclosed the vulnerabilities are Hewlett-Packard, NCC Group, Intel and McAfee.
LIST OF VULNERABILITIES
The list of all the patched vulnerabilities along with their impacts is given below:
- CVE-2014-0332 — Remote code execution via memory corruption vulnerability.
- CVE-2015-0333 — Remote code execution via memory corruption vulnerability.
- CVE-2015-0334 — Remote code execution from type confusion vulnerability.
- CVE-2015-0335 — Remote code execution via memory corruption vulnerability.
- CVE-2015-0336 — Remote code execution from type confusion vulnerability.
- CVE-2015-0337 — A 'cross domain policy bypass' flaw.
- CVE-2015-0338 — Remote code execution from integer overflow vulnerability.
- CVE-2015-0339 — Remote code execution via memory corruption vulnerability.
- CVE-2015-0340 — A 'File upload restriction bypass' flaw.
- CVE-2015-0341 — Remote code execution from a 'use-after-free' vulnerability.
- CVE-2015-0342 — Remote code execution from a 'use-after-free' vulnerability.
According to Adobe, none of the vulnerabilities are being publicly exploited in the wild thus far. However, we all know that immediately after the the release of updated versions, hackers starts exploiting these critical flaws in order to catch out people who haven't updated their machines.
Therefore users and administrators running Adobe Flash Player on Windows, Mac OS X and Linux are advised to update their software to the most recent version of the software in an attempt to protect their systems from cyber attacks.
