Adobe today released the year’s first round of security updates for Flash Player, addressing nine vulnerabilities in the software including several critical bugs that could allow an attacker to take control of an affected system.
According to a security bulletin posted by the company today the vulnerabilities affect older versions of Flash on Windows, Macintosh and Linux machines. While version numbers differ by product installation, today’s updates primarily affect Flash Player version 16.0.0.235 and earlier.
Researchers working with Google’s Project Zero discovered three of the nine vulnerabilities, all of which can lead to code execution.
One of bugs is an information disclosure vulnerability (CVE-2015-0303) dug up by Chris Evans and Tavis Ormandy while another, a type confusion vulnerability (CVE-2015-0305) was found by researcher Natalie Silvanovich, working with Project Zero. Evans also helped Fermin J. Serna, a member of Google’s Security Team in finding a use-after-free bug, which, like the previously mentioned bugs, could lead to code execution.
One of the more interesting bugs fixed can apparently be exploited to capture keystrokes on an affected system but no further information on the vulnerability, including who found it, was given by Adobe.
A pair of heap-based buffer overflows that could lead to code execution, an improper file validation issue, and an out-of-bounds read vulnerability were also fixed by today’s Patch Tuesday updates.
Adobe said none of the vulnerabilities, despite more than half of them being branded critical, are being exploited in the wild.
Adobe is encouraging users to update to the most recent build of Flash, 16.0.0.257. While users who have Flash installed via Internet Explorer and Chrome will be automatically updated to the latest version, other users who run a desktop version, will want to update via Adobe’s mechanism when it pops up.
