Adobe has released a Flash Player update that addresses 23 critical vulnerabilities in the software, many which can lead to code execution.
Version 220.127.116.11 and earlier of Flash Player for Windows and Mac, Microsoft Edge and Internet Explorer 11 in Windows 10, and Internet Explorer 10 and 11, are affected, according to a security bulletin posted by Adobe Monday morning.
While the company isn’t aware of any exploits currently in the wild, Adobe is encouraging users to update to the newest version 18.104.22.168, either through the company’s Download Center, or via automatic update.
The lion’s share of the vulnerabilities, 18 of the 23, could lead to code execution, Adobe warns. Others could result in information disclosure, same-origin-policy bypass, and memory leakage, according to the bulletin.
Some of the fixes are more preventative in nature, including an update that adds additional validation checks to make sure Flash Player rejects malicious content from callback APIs, and another that further hardens a mitigation to defend against vector length corruptions.
Ten of the vulnerabilities are credited to Google Project Zero researchers, including a handful found by former Project Zero member Chris Evans, Ben Hawkes, and James Forshaw, to name a few. Additional vulnerabilities being patched today were discovered by the Chinese hacking crew Keen Team, which worked with HP’s Zero Day Initiative, and researchers working with the Alibaba Security Research Team, and Tencent’s Xuanwu Lab, among others.
This is the second month in a row that Adobe has pushed out more than 20 patches for Flash. Last month it released fixes for more than 30 vulnerabilities in the platform, including several that could be used to take control of a machine running an outdated version of Flash.