Adobe on Tuesday fixed four critical vulnerabilities in its Flash software, all of which could be used by attackers to execute code on vulnerable machines.
While the monthly updates for Adobe products don’t necessarily draw as much attention as those from Microsoft, they often can be more important. Flash is the most widely deployed piece of software on the Internet, and attackers regularly target the application with exploits as part of drive-by downloads. However, it’s becoming more and more difficult for attackers to exploit modern versions of Flash thanks to the sandbox that Adobe has added in recent versions.
At last week’s Pwn2Own hacking contest at the CanSecWest conference, researchers from VUPEN were able to chain together three separate vulnerabilities to exploit Flash and escape the sandbox. Chaouki Bekrar, the CEO of VUPEN, said that Flash has become a much harder target of late.
“Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” Bekrar said. “It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”
The March Flash update includes patches for four critical bugs, an integer overflow, a buffer overflow, a use-after-free and a memory corruption flaw. The update is for Windows, Mac, Linux and Android.