Adobe Patches 13 Vulnerabilities in Flash Player

Adobe’s monthly patch release features just an update for Flash Player, addressing 13 security vulnerabilities that expose the software to remote attacks.

Adobe today released another sizeable security update for Flash Player, patching 13 vulnerabilities.

None of the security issues are being publicly exploited, Adobe said. All of them, however, expose Flash Player to remote attacks that would give a hacker access to the underlying system.

Adobe said the affected versions of Flash Player are as follows:

  • Adobe Flash Player 17.0.0.188 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 13.0.0.289 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.460 and earlier 11.x versions for Linux
  • Adobe AIR Desktop Runtime 17.0.0.172 and earlier versions for Windows and Macintosh
  • Adobe AIR SDK and SDK & Compiler 17.0.0.172 and earlier versions for Windows and Macintosh
  • Adobe AIR 17.0.0.144 and earlier versions for Android

The most severe vulnerabilities impact Flash Player for Windows (including Flash Player for Internet Explorer 10 and 11 running on Windows 8 and 8.1), Mac OS X and Linux.

The majority of the bugs patched today involve memory corruption issues that can be leveraged in other attacks. Those include: a memory address randomization issue of the Flash heap for Windows 7 64 bit; stack and integer overflows, and memory corruption vulnerabilities that lead to code execution; and four use-after-free vulnerabilities and a memory leak issue that lead to code execution or a bypass of Address Space Layout Randomization (ASLR).

Also patched were a trio of vulnerabilities that bypass the same-origin policy if exploited, leading to information disclosure. A permission issue in the Flash broker for IE was also patched; if exploited that bug could be used to elevate privileges from low to medium integrity levels, Adobe said.

Finally, the updates address a vulnerability that if exploited, bypasses a fix for a cross-side request forgery vulnerability, CVE-2014-5333.

In early May, Adobe almost routine Flash update patched 18 vulnerabilities, all of which enable remote code execution.

Suggested articles