Adobe Patches Host of Memory Bugs in Flash Player

Adobe announced security updates and a new version of Flash Player for Windows, Mac and Linux; the company also announced it was postponing a scheduled update for Reader and Acrobat.

Adobe today released an updated Flash Player that patched a dozen vulnerabilities, and also announced that a scheduled security update for Reader and Acrobat has been postponed to the week of Sept. 15.

Today’s release, which coincides with Microsoft’s monthly scheduled security updates, patches numerous remotely exploitable vulnerabilities in Flash Player for Windows, Macintosh and Linux operating systems.

None of the bugs are being exploited in the wild, Adobe said.

Affected versions of Flash Player are:

  • Adobe Flash Player 14.0.0.179 and earlier versions
  • Adobe Flash Player 13.0.0.241 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.400 and earlier versions for Linux
  • Adobe AIR desktop runtime 14.0.0.178 and earlier versions
  • Adobe AIR SDK 14.0.0.178 and earlier versions
  • Adobe AIR SDK & Compiler 14.0.0.178 and earlier versions
  • Adobe AIR 14.0.0.179 and earlier versions for Android

Adobe has given its highest criticality rating for Flash Player 14 running on Windows, Mac, Linux and Internet Explorer 10 for Windows 8. Flash Player 11 for Linux and Adobe Air for all platforms were given a lower criticality rating and administrators can update at their discretion, Adobe said.

The critical bugs enabling remote code execution exploit for the most part memory issues, including a memory leakage issue that could allow an attacker to bypass address space layout randomization (ASLR). Another six CVEs address memory corruption vulnerabilities that lead to code execution, as well as a use-after-free vulnerability, security-bypass vulnerability, a heap buffer overflow and another bug that allows a hacker to bypass the same origin policy.

Adobe had also planned to release new versions of Adobe Acrobat and Reader, but decided to reschedule its release to next week.

“This delay was necessary to address issues identified during routine regression testing,” Adobe said.

The update reportedly addresses critical vulnerabilities in Adobe Reader XI (11.0.08) and earlier versions for Windows and Macintosh, Adobe Reader X (10.1.10) and earlier versions for Windows and Macintosh, Adobe Acrobat XI (11.0.08) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.10) and earlier versions for Windows and Macintosh.

This article was corrected to reflect that the updated Adobe patch will be available the week of Sept. 15.

Suggested articles

Discussion

  • Sandra Newman on

    Does any of the above address the Gray Circle Of Death? I can't play Farmville2 because of GCOD.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.