Adobe’s latest update for Flash Player fixes 13 security issues, where in most cases an attacker could gain unauthorized access to the system and execute arbitrary code.
Adobe eliminated three issues an attacker could use to take advantage of information disclosure by bypassing the same-origin policy (SOP). Two of the discoveries (CVE-2015-3098 and CVE-2015-3099) came from Malte Batram, while the third one (CVE-2015-3102) came from Pujun Li from PKAV team (pkav.net).
A permission issue in the Flash broker for Internet Explorer also ended up patched. If taken advantage of, the exploit could permit increasing escalation privilege on a machine from low to medium integrity level.
Vulnerabilities leading to code execution on the underlying operating system ranged from an integer and a stack overflow and a memory corruption glitch to three use-after-free flaws.
Also on the list is a vulnerability that could bypass the Address Space Layout Randomization (ASLR) protection and an improvement for the address randomization of the Flash heap for Windows 7 64-bit.
For Internet Explorer on Windows 8 and above, as well as for Google Chrome (Windows, Mac and Linux), the new version installs automatically through the update mechanisms built into the web browsers.
“Users of the Adobe Flash Player Desktop runtime for Windows and Macintosh should update to Adobe Flash Player 18.104.22.168,” Adobe said in a security advisory.
The company also said starting August 11, the Extended Support Release, currently at version 22.214.171.1249, will also update in Flash Player 18 for Windows and OS X operating systems. The warning gives users the opportunity to make preparations for the switch.