Adobe today released a new version of Flash Player that patches 18 vulnerabilities, all of which can result in remote code execution attacks.
On Tuesday, Adobe pushed out security updates for Reader, Acrobat and Digital Editions, and gave users a head’s up about an upcoming Flash update.
Today’s Flash release patches a host of memory-related security vulnerabilities that attackers can exploit to run code of their choice on compromised machines. Adobe said the flaws affect version 20.0.0.0306 for Windows and Macintosh on the desktop, and Flash for browsers, including Chrome, Microsoft Edge and Internet Explorer 11 on Windows 10 and Windows 8.1
Users should upgrade to 18.104.22.168 on those platforms, Adobe said, adding that it is aware of a public exploit used in limited targeted attacks against CVE-2016-1010, an integer overflow vulnerability that leads to remote code execution. The vulnerability was privately disclosed by Anton Ivanov, a researcher at Kaspersky Lab.
“Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks,” Kaspersky Lab said in a statement. “At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”
Adobe said three of the vulnerabilities patched today are integer overflow flaws that could result in remote code execution, another half-dozen memory corruption bugs, a heap over flow vulnerability, and eight use-after-free flaws.
Last month, Adobe pushed out its first Flash update of 2016, patching 22 remote code execution flaws.
Despite the relatively slow flow of Flash updates, the maligned player has been in the news regularly. In January, exploit acquisition company Zerodium announced that it would run a month-long bounty and pay as much as $100,000 for exploit code bypassing a heap isolation mitigation native to Flash Player. Heap partitioning was integrated into Flash Player last July; the technique isolates different types of objects on the heap making it difficult for attackers to dictate where objects are allocated.
Zerodium has not announced any payouts for its Flash bounty.
This article was updated with information about publicly available exploits.