Adobe’s Flash Player needs updating after the company patched a set of six vulnerabilities in its latest revision, 18.104.22.168.
Exploits are already ongoing for one of the flaws. Reported by bilou from HP’s Zero Day Initiative (ZDI), the flaw (CVE-2014-9163) is a stack-based buffer overflow that an attacker can use to execute arbitrary code.
Users should update to the latest version of Flash as soon as possible, the company said. Google Chrome (regardless of the operating system) and Internet Explorer web browsers apply the new version automatically, through the built-in update mechanism.
The company said not all previous versions of the program are vulnerable and users who already have build 22.214.171.124 installed are out of the danger zone as far as CVE-2014-9163 goes. Nevertheless, the new update should end up applied because it incorporates other security fixes too.
Most of the flaws eliminated could allow an attacker to execute arbitrary code on the affected systems. To mitigate this risk, the developer dealt with two memory corruption issues (both attributed to researchers and security experts from Google) and one use-after-free glitch (attributed to Haifei Li of McAfee Labs IPS Team).
Two additional fixes refer to an information disclosure vulnerability (CVE-2014-9162) and one that allowed exploitation in order to bypass the same-origin policy (CVE-2014-0580), which does not allow interference from code outside the application.
The newest Flash update is 126.96.36.199 for Windows and Mac platforms, on which it has received the top priority rating from the developer. In the case of Linux, the latest version is 188.8.131.525, but there is not an immediate concern to install it as administrators could apply it “at their discretion.”
Unless the auto-update feature is on, users will need to install the latest revision of Flash Player manually.
Apart from Flash, Adobe also delivered a set of 20 fixes for Reader and Acrobat products, incrementing the version number to 11.0.10.
One of the problems solved has received the identifier CVE-2014-9150, and it would allow an attacker to bypass the sandbox protection mechanism and write code in locations of the host machine, via an NTFS junction attack.
However, even if a sandbox escape is a very serious issue, exploiting this one in a previous release of Adobe Reader would be close to impossible, because the developer made in-depth modifications that would prevent abuse, said James Forshaw of Google Project Zero, who uncovered the issue.