Google, Microsoft, Tencent point out latest code execution bugs to hit Adobe Flash

Adobe and its security-troubled Flash player have continued the code-executing pattern of behaviour set for the web content platform many years ago.

Another year, and with it another bunch of code-execution vulnerabilities within Flash announced by Adobe in a security advisory.

The vulnerabilities run the gamut of operating systems that Flash is able to run on -- Windows, macOS, Linux, and Chrome OS -- with users urged to update to a version of Flash later than 24.0.0.186.

Of the details given by Adobe on the issues, the company said it resolved three use-after-free bugs, four heap buffer overflows, and five memory corruption issues -- all of which could lead to code execution.

Google's Project Zero reported five of the issues to Adobe, Microsoft Vulnerability Research contributed two bug reports, Chromium Vulnerability Rewards Program reported three issues, and Tencent reported one.

The new release of Flash also fixes an issue described by Adobe as "a security bypass vulnerability that could lead to information disclosure", which was also found by a Project Zero researcher.

Flash has been a serial offender of code execution vulnerabilities for many years.

Unlike some advisories in the past, Adobe did not say in its latest update that it had noticed any of the vulnerabilities being exploited in the wild.

Last month, Microsoft announced that it would make Flash content Click-to-Run in its Edge browser, with the functionality to reach mainstream users of Windows 10 in the upcoming Creators Update due in early 2017.

Other browser makers have supported similar functionality for some time.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All