Adobe issued the updates for 11 Critical Vulnerabilities

Pierluigi Paganini March 15, 2015

Adobe released security updates for Adobe Flash Player to fix 11 Critical Vulnerabilities, most of them Remote Code Execution flaws.

Adobe has issued a critical update for the Flash Player product that fixes set of 11 critical security vulnerabilities in its software. The update is classified as critical because most of the security flaws could be exploited by a threat actor to remotely execute arbitrary code on a targeted machine.

Giving a look at the list of the vulnerabilities fixed by the update it is possible to note that nine flaws are Remote Code Execution vulnerabilities. In a classic attack scenario, the attack chain could start with specially crafted Flash file server through a phishing campaign. The specially crafted Flash file could be exploited by attackers to trigger the vulnerabilities and execute arbitrary code on the victim’s PC.

The complete list of all the patched vulnerabilities is reported below:

  • CVE-2014-0332 — Remote code execution via memory corruption vulnerability.
  • CVE-2015-0333 — Remote code execution via memory corruption vulnerability.
  • CVE-2015-0334 — Remote code execution from type confusion vulnerability.
  • CVE-2015-0335 — Remote code execution via memory corruption vulnerability.
  • CVE-2015-0336 — Remote code execution from type confusion vulnerability.
  • CVE-2015-0337 — A ‘cross domain policy bypass’ flaw.
  • CVE-2015-0338 — Remote code execution from integer overflow vulnerability.
  • CVE-2015-0339 — Remote code execution via memory corruption vulnerability.
  • CVE-2015-0340 — A ‘File upload restriction bypass’ flaw.
  • CVE-2015-0341 — Remote code execution from a ‘use-after-free’ vulnerability.
  • CVE-2015-0342 — Remote code execution from a ‘use-after-free’ vulnerability.

The vulnerabilities affect all versions prior to the latest version 17.0.0.134 of the Flash Player running on Windows and Mac OS X systems.

adobe flash player update 2

 

Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 17.0.0.134

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.” states the Adobe Security Advisory Bulletin

The security bulletin also reports that Adobe Flash Player 11.2.202.442 for Linux and Flash Player Extended Support Release 13.0.0.269 for Windows and Mac OS X are affected by the vulnerabilities fixed by the update.

The good news is that Adobe confirmed that none of the vulnerabilities are being publicly exploited in the wild, anyway security experts fear an escalation of attacks exploiting the above flaws after the release of the update. In the criminal ecosystem, it is quite easy to see a spike in the number of attacks targeting recently fixed vulnerabilities with the intent to exploit  vulnerable machines not yet fixed.

The update released by Adobe comes a few days Apple and Microsoft have released updates for their products to patch the FREAK encryption-downgrade flaw.

Don’t waste time, if you are running Adobe Flash Player on your system update it!

Pierluigi Paganini

(Security Affairs –  Adobe, critical update)



you might also like

leave a comment