Adobe just fixed thirteen code execution flaws in Flash Player

Adobe addressed thirteen highest severity code execution vulnerabilities in Flash Player for Windows, MAC OS, and Chrome.

Adobe released security updates that address two dozen vulnerabilities in Flash Player, Digital Editions, and the Campaigns marketing tool.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. The updates address critical vulnerabilities that could be exploited by an attacker to take control of the vulnerable system.

Flash Player 24.0.0.221 addressed 13 critical code execution flaws, including type confusion, integer overflow, use-after-free, heap buffer overflow and other memory corruption issues.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” reads the Adobe Security Advisory for the Flash product.

The flaws were discovered by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs who reported the security issued to Adobe.

Nine flaws affecting the Digital Editions ebook reader were also fixed by Adobe with the release of version 4.5.4 for Windows, Mac, and Android.

Adobe fixed several kinds of vulnerabilities including a critical heap-based buffer overflow that can be exploited for arbitrary code execution and several important buffer overflows that could lead to a memory leak.

The flaws were discovered by the researcher Steven Seeley of Source Incite and Ke Liu of Tencent’s Xuanwu LAB.

“Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak.” reads the Adobe Security Advisory for the Digital Editions product.

The last set of flaws was affecting the Adobe Campaign product for Windows and Linux, the release of Adobe Campaign 6.11 addresses a moderate severity security bypass flaw affecting the client console. The flaws could be exploited by an authenticated attacker to upload and execute a malicious file, which could result in read/write access to the system.

The experts also fixed another flaw in the latest version of Campaign, it is a moderate severity input validation issue that can be exploited for cross-site scripting (XSS) attacks. The flaws were reported to Adobe by researcher Léa Nuel.

“Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux.  This update resolves a moderate security bypass affecting the Adobe Campaign client console.  An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969).” reads the Adobe Security Advisory for the Adobe Campaign product.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Adobe, Flash Player)