Adobe Patches Host of Memory Bugs in Flash Player

Author: Michael Mimoso
minute read

Adobe announced security updates and a new version of Flash Player for Windows, Mac and Linux; the company also announced it was postponing a scheduled update for Reader and Acrobat.

Adobe today released an updated Flash Player that patched a dozen vulnerabilities, and also announced that a scheduled security update for Reader and Acrobat has been postponed to the week of Sept. 15.

Today’s release, which coincides with Microsoft’s monthly scheduled security updates, patches numerous remotely exploitable vulnerabilities in Flash Player for Windows, Macintosh and Linux operating systems.

None of the bugs are being exploited in the wild, Adobe said.

Affected versions of Flash Player are:

  • Adobe Flash Player 14.0.0.179 and earlier versions
  • Adobe Flash Player 13.0.0.241 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.400 and earlier versions for Linux
  • Adobe AIR desktop runtime 14.0.0.178 and earlier versions
  • Adobe AIR SDK 14.0.0.178 and earlier versions
  • Adobe AIR SDK & Compiler 14.0.0.178 and earlier versions
  • Adobe AIR 14.0.0.179 and earlier versions for Android

Adobe has given its highest criticality rating for Flash Player 14 running on Windows, Mac, Linux and Internet Explorer 10 for Windows 8. Flash Player 11 for Linux and Adobe Air for all platforms were given a lower criticality rating and administrators can update at their discretion, Adobe said.

The critical bugs enabling remote code execution exploit for the most part memory issues, including a memory leakage issue that could allow an attacker to bypass address space layout randomization (ASLR). Another six CVEs address memory corruption vulnerabilities that lead to code execution, as well as a use-after-free vulnerability, security-bypass vulnerability, a heap buffer overflow and another bug that allows a hacker to bypass the same origin policy.

Adobe had also planned to release new versions of Adobe Acrobat and Reader, but decided to reschedule its release to next week.

“This delay was necessary to address issues identified during routine regression testing,” Adobe said.

The update reportedly addresses critical vulnerabilities in Adobe Reader XI (11.0.08) and earlier versions for Windows and Macintosh, Adobe Reader X (10.1.10) and earlier versions for Windows and Macintosh, Adobe Acrobat XI (11.0.08) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.10) and earlier versions for Windows and Macintosh.

This article was corrected to reflect that the updated Adobe patch will be available the week of Sept. 15.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.