Adobe continues the rush of updates and releases with its new version of Flash Player (22.214.171.124) for Windows and Macintosh, and for Linux (126.96.36.1997).
These security updates fix 22 critical vulnerabilities that could lead to code execution and an attacker taking control of the affected system.
The following are the vulnerabilities:
• Memory corruption vulnerabilities that could lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043)
• A type confusion vulnerability that could lead to code execution (CVE-2015-0356)
• A buffer overflow vulnerability that could lead to code execution (CVE-2015-0348)
• Use-after-free vulnerabilities that could lead to code execution (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358, CVE-2015-3039)
• Double-free vulnerabilities that could lead to code execution (CVE-2015-0346, CVE-2015-0359)
• Memory leak vulnerabilities that could be used to bypass ASLR (CVE-2015-0357, CVE-2015-3040)
• A security bypass vulnerability that could lead to information disclosure (CVE-2015-3044)
Reported by a researcher who wished to remain anonymous, CVE-2015-3043 is currently undergoing exploitation, but Adobe didn’t share more details about the attacks.
The vulnerability affects Adobe Flash Player before 188.8.131.521 and 14.x through 17.x before 184.108.40.206 on Windows and OS X and before 220.127.116.117 on Linux, and allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
Because of this, and the seriousness of the other bugs, Adobe advised users to implement the updates as soon as possible.
If you have automatic updating turned on for your Flash installation, the updates will install automatically.
Google Chrome and Internet Explorer (10 and 11) users will also be receiving the updates automatically, via the browsers’ update mechanisms.