Adobe plugs critical Flash Player vulnerabilities
On Tuesday, the company published a security bulletin detailing the vulnerabilities, which could potentially allow an attacker to takeover vulnerable systems, Adobe said. Five bugs were memory leakage vulnerabilities which saboteurs could exploit to bypass memory address randomization.
The update also patched a security bypass flaw and user-after-free vulnerability that could lead to code execution, the bulletin said. The release was for Adobe Flash Player 184.108.40.206 and earlier on Windows and Macintosh platforms, and for Flash Player 220.127.116.114 and earlier versions for Linux.
Adobe acknowledged researchers from Google Project Zero and HP's Zero Day Initiative for reporting the memory leakage vulnerabilities, and helping to resolve the issue. Wen Guanxing of Venustech Adlab and Soroush Dalili of NCC Group disclosed information on the remaining bugs, the company said.UPDATE: On Tuesday, Adobe also patched a critical vulnerability (CVE-2014-0546) affecting Adobe Reader and Acrobat XI (11.0.07) and early versions for Windows. According to the company, the sandbox bypass vulnerability had already been leveraged to carry out zero-day attacks in "limited, isolated" instances against Adobe Reader users. The bug could be exploited to run native code with escalated privileges on Windows, a security bulletin said.