Adobe pushed out a new update for Flash Player, fixing 18 vulnerabilities.
There is no information about exploits available, but the developers marked the release with a critical severity rating.
One of the flaws repaired in version 220.127.116.11 of the product refers to a time-of-check time-of-use (TOCTOU) race condition that could end up used to bypass the Protected Mode feature in Internet Explorer.
Credited for reporting the issue is Jihui Lu of Keen Team, who participated at the Pwn2Own hacking competition this year. Together with his team members, he managed to break Flash Player by leveraging a heap overflow remote code execution vulnerability, which brought them a $60,000 reward.
Nicolas Joly, also a contestant at Pwn2Own, reported via HP’s Zero Day Initiative a problem that could suffer from exploitation to write arbitrary data to the file system under user permissions. Versions of Flash 18.104.22.168 and earlier include three such vulnerabilities.
The type of glitches that may permit running arbitrary code on the system range from memory corruption, heap overflow, integer overflow, type confusion and use-after-free.
All of the vulnerabilities ended up reported by external researchers, mostly from Google’s Project Zero (Chris Evans and Natalie Silvanovich) and by bilou, working with the Chromium Vulnerability Reward Program, according to the security advisory published by Adobe.
Chris Evans has also reported two vulnerabilities (CVE-2015-3091, CVE-2015-3092) an attacker could use to bypass the ASLR (address space layout randomization) security measure designed for protection against buffer overflow attacks.
Updating to the new release is done automatically for users of Google Chrome and Internet Explorer (in Windows 8 and above), via the browsers’ built-in self-update mechanism. The same applies to Flash installations that have the automatic update feature enabled.