In what’s becoming a monthly ritual, Adobe today pushed out an updated version of its Flash Player that includes patches for critical vulnerabilities.
Today’s update isn’t as voluminous as a most have been since the start of summer, nonetheless, since July when a run of updates addressed zero days published after the Hacking Team breach and including an emergency update last month, Adobe has fixed more than 80 vulnerabilities in the beleaguered software.
Version 126.96.36.199 released today patches 17 vulnerabilities, all of them paving the way to remote code execution if exploited; Adobe said it has no reports of public exploits for any of the patched flaws.
In addition to the desktop version of Flash for Windows and Mac OS X, Adobe also updated Flash for Internet Explorer 11 and Microsoft Edge, both of which are expected to be included in today’s Microsoft Patch Tuesday security bulletins. Adobe also updated Flash Player for Linux and various Adobe Air products for Windows, iOS and Android mobile devices.
The lion’s share of the vulnerabilities (15) addressed today are use-after-free vulnerabilities that lead to code execution. The remaining two include a type confusion vulnerability that also leads to code execution, and a security bypass vulnerability that an attacker could use to write data to the computer’s file system, Adobe said.
Today’s update is a reprieve compared to last month’s scheduled update when Adobe patched not only Flash, but also Reader and Acrobat, addressing 69 critical vulnerabilities leading to code execution and information disclosure.
Three days later, Adobe updated Flash again with an out-of-band emergency patch that fixed a zero-day vulnerability under attack.
The zero-day was a type confusion vulnerability, and was tied to attacks carried out by a Russian-speaking APT group operating under the guise of Pawn Storm, or APT 28. Type confusion vulnerabilities occur when code doesn’t verify the type of object that’s passed to it, and uses it without type-checking.