14 DAY TRIAL // Adobe rolled out a new build for Flash Player that fixes a set of 11 security flaws in the software, most of them giving a potential attacker the opportunity to execute code on the affected machine.
10 of the security bugs were reported to Adobe by security researchers from other companies, who also participated in closing them.
Code execution risks most prevalent
Running arbitrary code on a vulnerable system could be achieved by exploiting memory corruption, type confusion, integer overflow and use-after-free vulnerabilities in Adobe Flash Player versions earlier than 17.0.0.134 and 13.0.0.277 (extended support) on Windows and Mac, and 11.2.202.451 on Linux.
Apart from these, Adobe also plugged a security hole that could lead to cross-domain policy bypass and one that has the potential to allow bypassing file upload restrictions.
In a security bulletin published on Thursday, Adobe does not indicate if either of the repaired issues are currently exploited in the wild by threat actors.
Most of the flaws reported by Google researchers
As is usually the case on Windows and Mac, users are recommended to switch to the latest version without delay, as the developer marked the update with the highest severity rating.
On Linux, moving to the new revision is assigned the lowest priority because the product for this platform is known to not be targeted by attackers.
Almost half of the vulnerabilities have been reported by security researchers from Google Project Zero. Other security companies that disclosed the problems are Hewlett-Packard, NCC Group, Intel and McAfee.
In Google Chrome and Internet Explorer, the patch is pushed automatically through the proprietary update mechanisms available for each browser.
The procedure is also seamless in the case of the desktop runtime, if the automatic update feature is enabled. Otherwise, the new binaries are available from the developer’s page.
Alternatively, Flash Player can be downloaded from Softpedia for Windows, Mac or Linux.