In the last one of the year, Adobe released its December Patch Tuesday security updates, which included a record 78 security vulnerabilities including five Priority 1 updates and five Priority 3 updates.
The patches affected all platforms, 56 of which addressed use-after-free vulnerabilities, 12 of which resolved memory corruption vulnerabilities and five fixed various types of overflow vulnerabilities, all of which could lead to code execution, according to the Tuesday release.
The Adobe Flash Players installed with Google Chrome, Microsoft Edge and Internet Explorer for Windows 10, and Internet Explorer for Windows 8.x will automatically update to Adobe Flash Player 22.214.171.124 for Windows, Macintosh, Linux and Chrome OS.
Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh will also update automatically for users who have selected the option to ‘Allow Adobe to install updates’ while users who haven’t selected the option can manually install the update mechanism when prompted, the release said.
Users of Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to version 126.96.36.199 for Internet Explorer and version 188.8.131.52 for Firefox and Safari by visiting the Adobe Download Center, the release said.
Adobe also recommended in the release that users of Adobe Flash Player for Linux update to Adobe Flash Player 184.108.40.2064 and users of the AIR desktop runtime, AIR SDK and AIR SDK & Compiler update to version 220.127.116.11 by visiting the Download Center.
“All but three of the vulnerabilities could be used by an attacker to gain code execution running under the user in the browser. From there a second vulnerability would have to be used to become system on the machine (look at MS15-135 for an example), but then the attacker would have full control.” Qualys CTO Wolfgang Kandek said in a Dec. 8 post on his company’s blog.
“Flash-based attacks have been a favorite for attackers for the year with many exploit kits providing very up-to-date exploits – include this in your high priority items,” Kandek said.
In November, Adobe announced it was transitioning its Flash Professional CC software to something new called Animate CC, a platform that some security experts are saying would make the platform more secure.
“I think this is a solid move. It is a recognition that video is better served through the browser and from a security perspective will let them [Adobe] trim down the app so there will be fewer vulnerabilities,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro told SCMagazine.com.