Adobe has released security
updates to patch nearly a dozen serious vulnerabilities affecting the
Windows, Mac and Linux versions of Flash Player.
A total of 11 critical flaws have been
identified in Flash Player 16.0.0.305 and earlier versions for Mac and
Windows, and Flash Player 11.2.202.442 and earlier 11.x Linux versions.
According to Adobe, the vulnerabilities can be exploited to take control
of impacted systems.
The list of security bugs includes four
memory corruption flaws that can be leveraged for arbitrary code
execution (CVE-2015-0332, CVE-2015-0333, CVE-2015-0335, CVE-2015-0339).
The issues have been identified and reported by Mark Brand and Chris
Evans of Google Project Zero, Yuki Chen and Xiaoning Li of Intel Labs,
and Haifei Li of McAfee Labs.
Other vulnerabilities that could lead to
arbitrary code execution are a couple of type confusions
(CVE-2015-0334, CVE-2015-0336) reported by Google Project Zero affiliate
Natalie Silvanovich, an integer overflow (CVE-2015-0338), and two
use-after-free bugs (CVE-2015-0341, CVE-2015-0342) identified by the
researcher “bilou” and Jihui Lu of KeenTeam.
Soroush Dalili of NCC Group identified a
cross-domain policy bypass (CVE-2015-0337) and a file upload
restriction bypass flaw (CVE-2015-0340).
There is no indication that any of these
vulnerabilities have been exploited in the wild, but the “priority 1”
rating suggests that the flaws have a higher risk of being targeted by
exploits.
Windows and Mac users are advised to
update their installations to Flash Player version 17.0.0.134. The
latest Linux version is 11.2.202.451. Flash Player installed with Chrome
and Internet Explorer will be updated automatically.
Researchers constantly discover serious
vulnerabilities in Flash Player, and security experts have been advising
users not to install the application unless it’s necessary. Since the
beginning of the year, Adobe has had to release updates to address three
zero-day vulnerabilities exploited in the wild by malicious actors.
No comments:
Post a Comment