After a month free of Flash Player fixes and emergency patches, Adobe today resumed its monthly ritual of releasing a security update for the maligned software.
Today’s update patched 29 issues, most of which enabled remote code execution attacks on the host system.
Adobe also updated its Air SDK and Compiler, and Adobe Digital Editions.
Adobe said it’s unaware of public attacks against any of the vulnerabilities patched today.
Last month’s regular Patch Tuesday security updates did not include a Flash update, the first time since January that was the case. That respite came on the heels of a raucous year in which Adobe released emergency Flash updates in April, May and June, and in July patched 52 vulnerabilities, most of which were remote code execution bugs.
Close to half of the flaws patched today (14) were memory corruption vulnerabilities exposing computers to RCE attacks. Eleven use-after-free vulnerabilities were patched, along with a single integer overflow, all of which also lead to remote code execution. The remaining three bugs allow an attacker to bypass security protections on the operating system and lead to information disclosure, Adobe said.
Users are urged to update to Flash Player version 23.0.0.162 for Windows and Mac OS X. Browser versions of Flash in Google Chrome, Microsoft Edge and Internet Explorer 11 were also updated to the same version.
Adobe’s update for Air SDK and Compiler, a development environment for out-of-browser applications was patched against a single vulnerability, CVE-2016-6936. Users should move to version 23.0.0.257 on Windows.
“This update adds support for secure transmission of runtime analytics for AIR applications on Android,” Adobe said in its advisory. “Developers are encouraged to recompile captive runtime bundles after applying this update.”
Adobe also patched eight flaws in its ereader software Adobe Digital Editions for Windows, Mac OS X, iOS and Android.
Users are urged to update to version 4.5.2. All but one of the vulnerabilities were memory corruption issues leading to code execution, while the other bug was a use-after-free code execution bug.