14 DAY TRIAL // The latest Flash Player update from Adobe addresses a set of 13 security flaws, successful exploitation of most of them allowing an attacker unauthorized access to the system and execution of arbitrary code.
The company notes that starting August 11, the Extended Support Release, currently at version 13.0.0.289, will also be updated in Flash Player 18 for Windows and OS X operating systems, giving an early warning to users about making preparations for the switch.
Update removes glitches leading to code execution
Adobe eliminated three issues that could be leveraged for information disclosure by bypassing the same-origin policy (SOP). Two of them (CVE-2015-3098 and CVE-2015-3099) are credited to Malte Batram, while the third one (CVE-2015-3102) was reported by Pujun Li from PKAV team (pkav.net).
A permission issue in the Flash broker for Internet Explorer was also fixed; exploitation could permit increasing escalation privilege on a machine from low to medium integrity level.
Vulnerabilities leading to code execution on the underlying operating system ranged from an integer and a stack overflow and a memory corruption glitch to three use-after-free flaws.
Also on the list is a vulnerability that could be used to bypass the Address Space Layout Randomization (ASLR) protection and an improvement for the address randomization of the Flash heap for Windows 7 64-bit.
Updating should be a priority
For Internet Explorer on Windows 8 and above, as well as for Google Chrome (Windows, Mac and Linux), the new version is installed automatically through the update mechanisms built into the web browsers.
“Users of the Adobe Flash Player Desktop runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.160,” Adobe says in a security advisory released on Tuesday.
Installing the latest revision of the software should not be delayed as cybercriminals rely on this to infect systems with outdated Flash Player.
Recently, a report from FireEye revealed that threat actors were quick at exploiting flaws patched by Adobe two weeks earlier. The payload was Bedep, which is generally used for ad-fraud operations, but it restarted the infection cycle to deliver additional malware on the system.