Adobe fixed four critical vulnerabilities in its Flash software Tuesday, all of which attackers could use to execute code on vulnerable machines.
Flash is the most widely deployed piece of software on the Internet, and attackers regularly target the application with drive-by downloads. However, it’s becoming more and more difficult for attackers to exploit modern versions of Flash because of the sandbox Adobe added in recent versions.
However, at last week’s Pwn2Own hacking contest at the CanSecWest conference, researchers from VUPEN pieced together three separate vulnerabilities to exploit Flash and escape the sandbox.
“Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” said Chaouki Bekrar, VUPEN chief executive. “It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”
The March Flash update includes patches for four critical bugs, an integer overflow, a buffer overflow, a use-after-free and a memory corruption flaw. The update is for Windows, Mac, Linux and Android.