Pierluigi Paganini May 13, 2015

Adobe issued an update to fix 52 flaws in Flash Player, Reader and Acrobat products, that fortunately aren’t being publicly exploited in the wild.

Adobe has released significant updates for its products Flash Player, Reader and Acrobat. The update was issued by the company to patch 52 vulnerabilities that according to Adobe aren’t being publicly exploited in the wild.

According to the Adobe security bulletin, the Flash Update for Windows, Mac OS X, and Linux patches vulnerabilities that could be exploited by an attacker to remotely control a victim’s computer.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions” reported Adobe.

The Adobe product versions affected by the vulnerabilities are:

• Adobe Flash Player 17.0.0.169 and earlier versions
• Adobe Flash Player 13.0.0.281 and earlier 13.x versions
• Adobe Flash Player 11.2.202.457 and earlier 11.x versions
• AIR Desktop Runtime 17.0.0.144 and earlier versions
• AIR SDK and SDK & Compiler 17.0.0.144 and earlier versions 

The update fixes one heap overflow vulnerability, an integer overflow bug, three type confusion flaws, four memory corruption vulnerabilities and a use-after-free vulnerability that would allow a threat actor to run code remotely and gain control over the targeted machine. Other bugs include two memory leak issues that lead to bypass of Address Space Layout Randomization (ASLR), a security bypass vulnerability that could lead to data leakage and three further bugs that allow an attacker to write data to a file system with the same permission as the user.

Giving a look to the list of bugs in the Adobe Flash product solved by the update it is possible to note a time-of-check time-of-use race condition that that allow an attacker to bypass the Internet Explorer’s Protected Mode.

The Adobe Security Bulletin for the Reader and Acrobat updates states that the version affected by the flaws are:

• Adobe Reader XI (11.0.10) and earlier 11.x versions
• Adobe Reader X (10.1.13) and earlier 10.x versions
• Adobe Acrobat XI (11.0.10) and earlier 11.x versions
• Adobe Acrobat X (10.1.13) and earlier 10.x versions

“Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.” reported Adobe.

As explained by adobe in the security bulletin, some of the addressed flaws could be exploited to execute arbitrary code on the vulnerable machines and control them.

Also for the Adobe Reader and Acrobat products, the company confirmed the presence of memory corruption vulnerabilities, use-after free vulnerabilities, buffer overflow and heap-based buffer overflow flaws.

“These updates resolve various methods to bypass restrictions on Javascript API execution” continues the bulletin.

Pierluigi Paganini

(Security Affairs –  cyber threats, hacking)