Adobe plugs critical Flash Player vulnerabilities

Share this article:

Adobe has released fixes for seven critical bugs in its Flash Player plug-in.

On Tuesday, the company published a security bulletin detailing the vulnerabilities, which could potentially allow an attacker to takeover vulnerable systems, Adobe said. Five bugs were memory leakage vulnerabilities which saboteurs could exploit to bypass memory address randomization.

The update also patched a security bypass flaw and user-after-free vulnerability that could lead to code execution, the bulletin said. The release was for Adobe Flash Player 140.0.0.145 and earlier on Windows and Macintosh platforms, and for Flash Player 11.2.202.394 and earlier versions for Linux.

Adobe acknowledged researchers from Google Project Zero and HP's Zero Day Initiative for reporting the memory leakage vulnerabilities, and helping to resolve the issue. Wen Guanxing of Venustech Adlab and Soroush Dalili of NCC Group disclosed information on the remaining bugs, the company said.

UPDATE: On Tuesday, Adobe also patched a critical vulnerability (CVE-2014-0546) affecting Adobe Reader and Acrobat XI (11.0.07) and early versions for Windows. According to the company, the sandbox bypass vulnerability had already been leveraged to carry out zero-day attacks in "limited, isolated" instances against Adobe Reader users. The bug could be exploited to run native code with escalated privileges on Windows, a security bulletin said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.