14 DAY TRIAL // Adobe released a new version of Flash Player, which includes security fixes for no less than 22 vulnerabilities, one of them, a memory corruption flaw, being leveraged in the wild.
Almost half of the bugs repaired in build 17.0.0.169 touch on memory corruption problems, whose successful exploitation could allow an attacker to execute arbitrary code on the affected machine.
Google's contribution to a more secure Flash Player is significant
Other risks eliminated by the developers include four use-after-free glitches, two memory leak vulnerabilities that could be leveraged to bypass ASLR (address space layout randomization) protection, one buffer overflow, and one type confusion weakness.
Additionally, Adobe removed two double-free issues and one that could allow an attacker access to potentially sensitive information.
Most of the researchers that reported the flaws are from Google, either part of Project Zero or of the Security Team. Two of the researchers, Jihui Lu and bilou, reported their findings as part of the Chromium Vulnerability Reward program.
Other researchers involved in the responsible disclosure of errors include experts working with HP’s Zero Day Initiative (Nicolas Joly, s3tm3m) and Jouko Pynnönen of Klikki Oy.
However, none of them reported the glitch currently leveraged in the wild (CVE-2015-3043); the researcher who did chose to remain anonymous. On the same note, it is unclear how long the vulnerability has been used by third parties.
Updating to the new releases is highly recommended
In the security bulletin released by Adobe on Tuesday, it is recommended that users update to the latest release of the software as soon as possible, especially since one of the weaknesses is leveraged by ill-intended actors.
Users of Google Chrome and Internet Explorer (in Windows 8 and above) receive the new version automatically, via the update mechanisms available for the two web browsers.
The procedure is carried out similarly in the case of Flash installations that have the automatic updates turned on.
The current Flash Player revision for Windows and Mac is 17.0.0.169 and the one with extended support is 13.0.0.281. Linux users should update to build 11.2.202.457.