14 DAY TRIAL // Adobe patched a set of six vulnerabilities in the latest revision of Flash Player, 16.0.0.235, and for one of them an exploit is already used in the wild.
Reported by bilou from HP’s Zero Day Initiative (ZDI), the flaw (CVE-2014-9163) is a stack-based buffer overflow that can be used to execute arbitrary code on the affected machine.
There aren’t more details at the moment, but users are advised to update to the latest version of Flash as soon as possible. Google Chrome (regardless of the operating system) and Internet Explorer web browsers apply the new version automatically, through the built-in update mechanism.
Multiple RCE bugs have been removed
The company informs in a security bulletin that not all previous versions of the program are vulnerable and that users who already have build 15.0.0.246 installed are out of the danger zone as far as CVE-2014-9163 is concerned. Nevertheless, the new update should be applied because it incorporates other security fixes too.
Most of the flaws eliminated could allow an attacker to execute arbitrary code on the affected systems. To mitigate this risk, the developer dealt with two memory corruption issues (both attributed to researchers and security experts from Google) and one use-after-free glitch (attributed to Haifei Li of McAfee Labs IPS Team).
Two additional fixes refer to an information disclosure vulnerability (CVE-2014-9162) and one that allowed exploitation in order to bypass the same-origin policy (CVE-2014-0580), which does not allow interference from code outside the application.
The newest Flash update is 16.0.0.235 for Windows and Mac platforms, on which it has received the top priority rating from the developer. In the case of Linux, the latest version is 11.2.202.425 and no haste is recommended by Adobe as far as its installation is concerned, administrators being able to apply it “at their discretion.”
Unless the auto-update feature is turned on, the latest revision of Flash Player needs to be installed manually.
Adobe fixes non-threatening glitch in Reader
Apart from Flash, Adobe also delivered a set of 20 fixes for Reader and Acrobat products, incrementing the version number to 11.0.10.
One of the problems solved has received the identifier CVE-2014-9150, and it would allow an attacker to bypass the sandbox protection mechanism and write code in locations of the host machine, via an NTFS junction attack.
However, even if a sandbox escape is a very serious issue, exploiting this one in a previous release of Adobe Reader would be close to impossible, because the developer made in-depth modifications that would prevent abuse, according to James Forshaw of Google Project Zero, who uncovered it.
