Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS.
The vulnerabilities exist in versions 24.0.0.221 and earlier of Flash, according to a security bulletin issued by the company Tuesday morning.
Adobe is warning the six bugs–a buffer overflow vulnerability, two memory corruption vulnerabilities, and a trio of use-after-free vulnerabilities–could be exploited to trigger code execution. The lone bug that doesn’t lead to code execution stems from a random number generator vulnerability. That vulnerability, dug up by two researchers at Nanyang Technological University in Singapore, Wang Chenyu, and Wu Hongjun, could lead to information disclosure if exploited.
Users can apply the update, 25.0.0.127, through the usual distribution channels. Google Chrome and Microsoft Edge and Internet Explorer 11 users will receive the updates automatically. Devotees of Flash Player Desktop Runtime for Windows, Macintosh and Linux are being urged to update via the program’s update mechanism.
Adobe also shipped an update for Shockwave Player for Windows on Tuesday.
Versions 12.2.7.197 and earlier of the multimedia software plugin contained a vulnerability that if exploited could lead to escalation of privilege, a security bulletin warned. The vulnerability stemmed from Shockwave’s directory search path. The patched version, 12.2.8.198, is available at Adobe’s Shockwave Player Download Center.
Adobe has stuck by its usual Patch Tuesday patching schedule so far in 2017.
In January it pushed out 13 patches, 12 that could have led to remote code execution; in February the company patched 13 vulnerabilities, all which could have led to code execution in the software.
With this year’s iteration of Pwn2Own, the annual hacking challenge held in tandem with CanSecWest in Vancouver, set to kick off tomorrow it could be only a matter of days until Adobe releases a set of emergency updates for Flash.
Hackers took down Flash on the first day of Pwn2Own last year and earned $13,000 in the process. One group of hackers combined a type confusion bug in Flash with a Windows kernel bug while another group exploited an out-of-bounds bug in the platform and chained it together with an infoleak in Windows kernel.
For this year’s contest competitors can earn $50,000 for exploiting Flash in Microsoft Edge and another $30,000 if their exploit achieves SYSTEM-level code execution.
