Adobe fixes Flash Player zero-day exploited in the wild
Adobe released a new version of Flash Player (22.214.171.124) for Windows and Macintosh, and for Linux (126.96.36.1997).
These security updates fix a host of critical vulnerabilities – 22 in all – most of which could lead to code execution and an attacker taking control of the affected system:
- Memory corruption vulnerabilities that could lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
- A type confusion vulnerability that could lead to code execution (CVE-2015-0356).
- A buffer overflow vulnerability that could lead to code execution (CVE-2015-0348).
- Use-after-free vulnerabilities that could lead to code execution (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358, CVE-2015-3039).
- Double-free vulnerabilities that could lead to code execution (CVE-2015-0346, CVE-2015-0359).
- Memory leak vulnerabilities that could be used to bypass ASLR (CVE-2015-0357, CVE-2015-3040).
- A security bypass vulnerability that could lead to information disclosure (CVE-2015-3044).
Reported by a researcher who wished to remain anonymous, the CVE-2015-3043 is currently being exploited in the wild., but Adobe didn’t share more details about the attacks.
According to a write-up at the Security Database, the vulnerability affects Adobe Flash Player before 188.8.131.521 and 14.x through 17.x before 184.108.40.206 on Windows and OS X and before 220.127.116.117 on Linux, and allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
Because of this, and the seriousness of the other bugs, Adobe has advised users to implement the updates as soon as possible.
If you have automatic updating turned on on your Flash installation, the updates will be installed automatically. For those who don’t, a visit to the Flash Player Download Center is in order.
Google Chrome and Internet Explorer (10 and 11) users will also be receiving the updates automatically, via the browsers’ update mechanisms.