Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today.
The Patch Tuesday updates, available for Windows, Macintosh, and Linux machines, remedy vulnerabilities in several builds of Flash Player and AIR, Adobe’s run-time system.
The lion’s share of the vulnerabilities – 15 of the 18 – a use-after-free, double free, memory corruption, type confusion and buffer overflow vulnerability, could lead to code execution if left unpatched. Other vulnerabilities patched include issues that could trigger session tokens to be disclosed, and cause privilege escalation.
Researchers with Google Project Zero, the Chromium Rewards Project, Microsoft, and several other firms dug up the vulnerabilities.
Adobe is urging users running older versions of Flash Player (184.108.40.206 and earlier, 220.127.116.11 and earlier 13.x versions, 18.104.22.1681 and earlier for Linux) and older versions of AIR (22.214.171.1243 and earlier, SDK 126.96.36.1992 and earlier, SDK & Compiler 188.8.131.522 and earlier, 184.108.40.2063 and earlier for Android) to update as soon as possible.
In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit. Independent malware researcher Kafeine wrote at the time that it was a “really fast integration” into an exploit kit and that whoever coded it must have reversed the patch in two days. It remains to be seen whether any of the 18 vulnerabilities that were fixed today are either currently being exploited in the wild or if they’ll eventually be incorporated into a future exploit kit.