Adobe Fixes 18 Critical Flaws in Flash Player

Adobe has released its latest Flash Player revision to fix 18 critical vulnerabilities, according to Security Bulletin APSB14-24.

“These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” the summary stated.

Adobe Flash Player for Desktop Runtime, Extended Support Release, Flash Player for Chrome and Internet Explorer on Windows, Macintosh and Linux received a priority rating of 1, which means they should be updated as soon as possible.

Adobe defines the priority 1 rating as an update that “resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”

Earlier versions of Flash Player or Adobe AIR on Windows, Mac, Android and iOS are affected by these flaws. An attacker could execute arbitrary code on vulnerable systems if he exploits one of the 15 most severe flaws.

The remote code execution exploit from Flash Player originated from memory corruption, use-after-free, double free, type confusion and heap buffer overflow vulnerabilities.

The last three vulnerabilities could allow an attacker to disclose session tokens and escalate privileges. These three originate from information disclosure, heap buffer overflow vulnerabilities and a permission issue.

Updates are made automatically for browser plug-ins such as Google Chrome or Internet Explorer. Users are advised to make sure the auto update feature from the desktop Flash Player release is turned on.