Adobe released a security update today that deals with several critical faults in Flash player and AIR on Windows, Mac and Linux that could allow for third party code execution and disclose private information.
Four critical security vulnerabilities were highlighted in this update by Adobe:
- A use-after-free vulnerability that could result in arbitrary code execution (CVE-2014-0506).
This vulnerability was demonstrated it during the Pwn2Own hacking competition in March by researchers at the French security firm Vupen. Pwn2Own awards cash prizes to researchers who demonstrate previously unknown software vulnerabilities.At Pwn2Own, Vupen also identified a critical vulnerability in Adobe Reader that was not addressed in this release and remains a potential threat.
- A buffer overflow vulnerability that could result in arbitrary code execution (CVE-2014-0507)
- A security bypass vulnerability that could lead to information disclosure (CVE-2014-0508)
- A cross-site-scripting vulnerability (CVE-2014-0509)
Adobe stated that they have no knowledge of exploits “in the wild” that actually take advantage of the vulnerabilities.
Google Chrome, Internet Explorer 10 and Internet Explorer 11 installations will be automatically updated with this update.
Apple release support documentation alerting users older versions of Adobe Flash Player to the vulnerabilities and urging them to apply the update.
Adobe Flash animation is used widely in web site design and in web site advertisements. In recent years, hackers have used flaws in Flash to spread malware and execute nefarious scripts and code.