Adobe has issued security bulletins addressing five critical vulnerabilities in its Flash, Reader and Acrobat Players that could give attackers the ability to cause crashes and wrest control of affected machines.
Adobe claims it is not aware of any in-the-wild exploits targeting these bugs.
CVE-2014-0491 and CVE-2014-0492, reported by Masato Kinugawa and the Zero Day Initiative respectively, resolve problems in Adobe Flash and AIR. Users will need to update Flash Player 11.9.900.170 and earlier versions for Windows and Mac and 126.96.36.1992 and earlier versions for Linux. Users of Adobe AIR, including versions 188.8.131.520 and earlier for Windows, Mac, Android, SDK, and compiler, will need to update those systems as well.
All the Flash bugs received Adobe’s highest priority rating while the AIR bugs received its lowest.
Gynvael Coldwind and Mateusz Jurczyk of Google’s security team discovered CVE-2014-0493 and CVE-2014-0495, while a researcher named Saroush Dalili reported CVE-2014-0496 to Adobe. All of these bugs affect either Adobe Acrobat or Reader and received Adobe’s highest priority rating.
Affected versions include, Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Mac, Reader X (10.1.8) and earlier 10.x versions for Windows and Mac, Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Mac, and Acrobat X (10.1.8) and earlier 10.x versions for Windows and Mac.