The Mac Security Blog

Security News

Adobe Flash Player Turns 18; Update Stomps Out Security Bugs

Posted on by

adobe-patched-headerAdobe Systems has released Flash Player 18.0.0.160 for Mac and Windows, along with version 11.2.202.466 for Linux. These updates stomp out a total of 13 security bugs discovered in Adobe software.

“These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” notes Adobe’s security bulletin.

Affected software versions include: Adobe Flash Player 17.0.0.188 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.460 and earlier 11.x versions for Linux, Adobe AIR Desktop Runtime 17.0.0.172 and earlier versions for Mac and Windows, and Adobe AIR for Android 17.0.0.144 and earlier versions.

The security bugs fixed in these updates are described as follows:

  • These updates resolve a vulnerability (CVE-2015-3096) that could be exploited to bypass the fix for CVE-2014-5333.
  • These updates improve memory address randomization of the Flash heap for the Window 7 64-bit platform (CVE-2015-3097).
  • These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-3098, CVE-2015-3099, CVE-2015-3102).
  • These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2015-3100).
  • These updates resolve a permission issue in the Flash broker for Internet Explorer that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2015-3101).
  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-3104).
  • These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2015-3105).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3103, CVE-2015-3106, CVE-2015-3107).
  • These updates resolve a memory leak vulnerability that could be used to bypass ASLR (CVE-2015-3108).

Mac and Windows users should update to Adobe Flash Player 18.0.0.160 (15.3 MB), and Linux users should update to Adobe Flash Player 11.2.202.466 when possible. Users of the Adobe Flash Player Extended Support Release for Windows and Macintosh should update to Adobe Flash Player 13.0.0.292.

Flash Player installed with Google Chrome will automatically update to version 18.0.0.160 (Windows and Linux) and 18.0.0.161 (Macintosh). Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 18.0.0.160.

Users of the Adobe AIR Desktop Runtime should update to version 18.0.0.143 (Mac OS X) and 18.0.0.144 (Windows). Users of Adobe AIR for Android should update to version 18.0.0.143.