Adobe has released security updates for its Flash Player program, addressing vulnerabilities in the software. Most of the vulnerabilities that are fixed in Adobe Flash Player 11.4.402.287 (or 11.4 for short) are related to arbitrary code execution. Although there are currently no known exploits and Adobe does not anticipate that exploits are imminent, Mac users should update to the newest version of Flash Player to resolve the critical vulnerabilities.
The newest version of Adobe Flash Player covers 25 CVEs (APSB12-22):
These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5257, CVE-2012-5259, CVE-2012-5260, CVE-2012-5262, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-5252, CVE-2012-5256, CVE-2012-5258, CVE-2012-5261, CVE-2012-5263, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272).
Mac users who have turned on silent updates will receive the update automatically. Those of you who do not have the “Allow Adobe to install updates (recommended)” option selected can install the update by downloading it from the Adobe Flash Player Download Center. Google’s Chrome browser offers a customer Flash Player that will automatically be updated to the latest version of Google Chrome, which will include Flash Player 11.4.402.287 for Macintosh.
In addition to Flash, Adobe also recommends users of Adobe AIR 3.4.0.2540 and earlier versions (for Macintosh) update to Adobe AIR 3.4.0.2710. Users of Adobe AIR SDK (includes AIR for iOS) should update to the Adobe AIR 3.4.0.2710 SDK.