Adobe today released another sizeable security update for Flash Player, patching 13 vulnerabilities.
None of the security issues are being publicly exploited, Adobe said. All of them, however, expose Flash Player to remote attacks that would give a hacker access to the underlying system.
Adobe said the affected versions of Flash Player are as follows:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release 22.214.171.1249 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 126.96.36.1990 and earlier 11.x versions for Linux
- Adobe AIR Desktop Runtime 188.8.131.52 and earlier versions for Windows and Macintosh
- Adobe AIR SDK and SDK & Compiler 184.108.40.206 and earlier versions for Windows and Macintosh
- Adobe AIR 220.127.116.11 and earlier versions for Android
The most severe vulnerabilities impact Flash Player for Windows (including Flash Player for Internet Explorer 10 and 11 running on Windows 8 and 8.1), Mac OS X and Linux.
The majority of the bugs patched today involve memory corruption issues that can be leveraged in other attacks. Those include: a memory address randomization issue of the Flash heap for Windows 7 64 bit; stack and integer overflows, and memory corruption vulnerabilities that lead to code execution; and four use-after-free vulnerabilities and a memory leak issue that lead to code execution or a bypass of Address Space Layout Randomization (ASLR).
Also patched were a trio of vulnerabilities that bypass the same-origin policy if exploited, leading to information disclosure. A permission issue in the Flash broker for IE was also patched; if exploited that bug could be used to elevate privileges from low to medium integrity levels, Adobe said.
Finally, the updates address a vulnerability that if exploited, bypasses a fix for a cross-side request forgery vulnerability, CVE-2014-5333.
In early May, Adobe almost routine Flash update patched 18 vulnerabilities, all of which enable remote code execution.