Adobe has released updates for both its Flash Player and AIR software, patching four critical vulnerabilities, including one that was exposed at last month’s Pwn2Own hacking competition.
The Flash Player vulnerabilities carry the company’s highest severity rating, Priority 1, and could lead to arbitrary code execution and information disclosure on both Windows and Macintosh machines if left unpatched.
According to a security bulletin posted Tuesday the updates apply to versions 18.104.22.168 and older of Flash Player for Windows and Macintosh and version 22.214.171.1246 for Linux.
Among the quartet of vulnerabilities addressed in the update are a use-after-free vulnerability, a buffer overflow vulnerability, a security bypass vulnerability and a cross-site scripting vulnerability.
The use-after-free bug was dug up by Chaouki Bekrar and his squad of researchers at the French exploit vendor Vupen at last month’s Pwn2Pwn. Specifically, Vupen was able to chain the use-after-free vulnerability together with two other zero-days, a JIT spray and a sandbox escape to exploit Flash Player running on Internet Explorer 11.
Those running either Google Chrome or Internet Explorer 10 or 11 will have their Flash Player updated to the most recent version, 126.96.36.199, via mechanisms in those browsers.
While not as serious – Adobe rated the update Priority 3, its lowest priority – the company also took the time yesterday to update its Adobe Integrated Runtime (AIR) run-time system to version 188.8.131.52 as it was affected by the same vulnerabilities.
For network administrators there’s a good chance the patches may have been lost in the shuffle of yesterday’s Patch Tuesday fixes. That update, the last ever for Windows XP, addressed two critical vulnerabilities in Microsoft Word and Internet Explorer.