Adobe today released sizable updates for Flash Player, Reader and Acrobat, patching 18 and 34 vulnerabilities respectively in the software.
None of the vulnerabilities in any of the three products, Adobe said, are being publicly exploited.
The Flash Update for Windows, Mac OS X, and Linux patches vulnerabilities that would allow an attacker to remotely take control of the compromised computer.
Adobe Flash Player 126.96.36.199 and earlier versions, Adobe Flash Player 188.8.131.521 and earlier 13.x versions, Adobe Flash Player 184.108.40.2067 and earlier 11.x versions, AIR Desktop Runtime 220.127.116.11 and earlier versions, and AIR SDK and SDK & Compiler 18.104.22.168 and earlier versions are affected and patched by this update, Adobe said.
Most of the vulnerabilities open the door to code execution, Adobe said. The update addresses four memory corruption vulnerabilities, one heap overflow flaw, an integer overflow bug, three type confusion bugs, and a use-after-free vulnerability that allow an attacker to run code remotely and control a machine.
The Flash update also addresses a time-of-check time-of-use race condition that bypasses Internet Explorer’s Protected Mode. Three other bugs were patched that allow an attacker to write data to a file system with the same permission as the user. Two memory leak issues were also addressed that lead to bypass of Address Space Layout Randomization (ASLR) and a separate security bypass vulnerability that could lead to information disclosure.
The Reader and Acrobat updates affect Adobe Reader XI (11.0.10) and earlier 11.x versions, Adobe Reader X (10.1.13) and earlier 10.x versions, Adobe Acrobat XI (11.0.10) and earlier 11.x versions, Adobe Acrobat X (10.1.13) and earlier 10.x versions.
The most serious of the bugs lead to code execution, Adobe said. Ten memory corruption vulnerabilities were addressed, along with five use-after free vulnerabilities, a buffer overflow and heap-based buffer overflow, all of which allow an attacker to remotely run code.
The remaining bugs patched in the updates include a memory leak issue, a null-pointer dereference issue that enables denial-of-service attacks, and additional hardening protecting against an information disclosure bug in the handling of XML external entities.