Patch/Configuration Management, Vulnerability Management

Adobe plugs critical Flash Player vulnerabilities

Adobe has released fixes for seven critical bugs in its Flash Player plug-in.

On Tuesday, the company published a security bulletin detailing the vulnerabilities, which could potentially allow an attacker to takeover vulnerable systems, Adobe said. Five bugs were memory leakage vulnerabilities which saboteurs could exploit to bypass memory address randomization.

The update also patched a security bypass flaw and user-after-free vulnerability that could lead to code execution, the bulletin said. The release was for Adobe Flash Player 140.0.0.145 and earlier on Windows and Macintosh platforms, and for Flash Player 11.2.202.394 and earlier versions for Linux.

Adobe acknowledged researchers from Google Project Zero and HP's Zero Day Initiative for reporting the memory leakage vulnerabilities, and helping to resolve the issue. Wen Guanxing of Venustech Adlab and Soroush Dalili of NCC Group disclosed information on the remaining bugs, the company said.

UPDATE: On Tuesday, Adobe also patched a critical vulnerability (CVE-2014-0546) affecting Adobe Reader and Acrobat XI (11.0.07) and early versions for Windows. According to the company, the sandbox bypass vulnerability had already been leveraged to carry out zero-day attacks in "limited, isolated" instances against Adobe Reader users. The bug could be exploited to run native code with escalated privileges on Windows, a security bulletin said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.