Adobe Patches Flash Flaw Targeted by Exploit in the Wild
Posted on
by
Derek Erwin
Adobe Systems has released a patch for 22 vulnerabilities in Flash Player, one of which is reportedly under attack by an exploit that exists in the wild. The most critical vulnerability, CVE-2015-3043, could lead to code execution. Adobe’s Flash Player security updates are available for Macintosh, Windows and Linux.
“Adobe is aware of a report that an exploit for CVE-2015-3043 exists in the wild, and recommends users update their product installations,” said Adobe. If you reached this page because you’re unsure if a popup alert from Adobe is real, take a look at our helpful guide for best practices how to safely install and update Adobe Flash Player.
Affected software versions (now out of date and vulnerable) include: Adobe Flash Player 17.0.0.134 and earlier versions, Adobe Flash Player 13.0.0.277 and earlier 13.x versions, and Adobe Flash Player 11.2.202.451 and earlier 11.x versions.
Adobe’s security bulletin describes the vulnerabilities patched in these updates as follows:
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043).
- These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-0356).
- These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-0348).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358, CVE-2015-3039).
- These updates resolve double-free vulnerabilities that could lead to code execution (CVE-2015-0346, CVE-2015-0359).
- These updates resolve memory leak vulnerabilities that could be used to bypass ASLR (CVE-2015-0357, CVE-2015-3040).
- These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3044).
Adobe Flash users running Mac OS X and Windows computers should update to Adobe Flash Player 17.0.0.169 (14.9 MB) as soon as possible to avoid potential attacks. Linux users should update to Adobe Flash Player 11.2.202.457.
Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Flash Player 17.0.0.169. Moreover, Adobe Flash installed with Internet Explorer (IE) for Windows 8.x will automatically be updated to the latest version when available, which will include Adobe Flash Player 17.0.0.169.
In addition to patching Flash Player vulnerabilities, Adobe has also released security updates for ColdFusion and Adobe Flex—each addressing a separate vulnerability.