Google's security experts report most of the bugs

May 13, 2015 10:49 GMT  ·  By

Adobe pushed a new update for Flash Player, fixing a total of 18 vulnerabilities, ten of which could allow an attacker to run arbitrary code on an affected machine.

There is no information about exploits being available in the wild for any of the issues, but the developers marked the release with a critical severity rating that deserves Windows and Mac users’ utmost attention, as top priority is assigned.

Pwn2Own participants report Flash Player flaws

One of the flaws repaired in version 17.0.0.188 of the product refers to a time-of-check time-of-use (TOCTOU) race condition that could be leveraged to bypass the Protected Mode feature in Internet Explorer.

Credited for reporting the issue is Jihui Lu of Keen Team, who participated at the Pwn2Own hacking competition this year. Together with his team members, he managed to break Flash Player by leveraging a heap overflow remote code execution vulnerability, which brought them a $60,000 / €53,000 reward.

Nicolas Joly, also a contestant at Pwn2Own, reported via HP’s Zero day Initiative a problem that could be exploited to write arbitrary data to the file system under user permissions. Versions of Flash 17.0.0.169 and earlier include three such vulnerabilities.

Code execution bugs

The type of glitches that may permit running arbitrary code on the system range from memory corruption, heap overflow, integer overflow, type confusion and use-after-free.

All of them were reported by external researchers, mostly from Google’s Project Zero (Chris Evans and Natalie Silvanovich) and by bilou, working with the Chromium Vulnerability Reward Program, according to the security advisory published by Adobe on Tuesday.

Chris Evans has also reported two vulnerabilities (CVE-2015-3091, CVE-2015-3092) that could be leveraged to bypass the ASLR (address space layout randomization) security measure designed for protection against buffer overflow attacks.

Updating to the new release is done automatically for users of Google Chrome and Internet Explorer (in Windows 8 and above), via the browsers’ built-in self-update mechanism. The same applies to Flash installations that have the automatic update feature enabled.

Users can also install Adobe Flash Player 17.0.0.188 manually for Windows and Mac. On Linux, the version number is 11.2.202.460.