14 DAY TRIAL // The latest revision of Adobe Flash Player adds no less than seven security patches to the software, all marked critical.
Four of the glitches were reported by Chris Evans from Google’s Project Zero, and all of them (CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545) caused memory leaks that could be leveraged for bypassing memory address randomization.
Another one, receiving the CVE-2014-0540 identifier and credited to HP’s Zero Day Initiative, would offer the same advantage to a potential attacker.
The other two vulnerabilities resolve a user-after-free flaw (CVE-2014-0538) that could lead to remote code execution, and a security bypass glitch (CVE-2014-0541). They are credited to Wen Guanxing from Venustech Adlab and Soroush Dalili of the NCC Group, respectively.
Adobe said in the security bulletin that it was not aware of any exploits for these vulnerabilities being available in the wild. However, according to the company, an attacker could potentially take advantage of them to gain control of a system running unpatched versions of the software.
Users are advised to update to the latest release of Adobe Flash Player. This can be done automatically, if the built-in update mechanism is turned on.
The Google Chrome and Internet Explorer variants are also expected to be patched without user intervention, through the automatic browser updates pushed to the users.
Also receiving an update are Adobe Reader and Acrobat, against a zero-day vulnerability that is currently exploited in the wild in isolated attacks against Windows users.