Adobe fixes critical code execution bugs in Flash

The latest security update includes fixes for security flaws in Flash and Shockwave.

Adobe has released fixes for security problems in Flash and Shockwave, including patches for bugs which allow attackers to execute code.


In a security advisory on Tuesday, Adobe said the update resolves seven vulnerabilities in Adobe Flash Player, six of which are critical security flaws which impact the Windows, Mac, Linux, and Chrome OS operating systems running Flash versions and earlier.

One of the most critical problems is CVE-2017-2997, a buffer overflow vulnerability in the Primetime TVSDK that allows for customizing advertising information.

Two other bugs now squashed in this update are CVE-2017-2998 and CVE-2017-2999, both of which are memory corruption vulnerabilities found within the Primetime TVSDK API and Primetime TVSDK.

In addition, Adobe has fixed three use-after-free security vulnerabilities, CVE-2017-3001, CVE-2017-3002, and CVE-2017-3003. The trio of bugs were discovered in the garbage collection in the ActionScript 2 VM, the Flash ActionScript2 TextField object and in interaction between the privacy user interface and the ActionScript 2 Camera object.

All of the above vulnerabilities are deemed critical and could lead to attackers executing arbitrary code. However, Adobe says there have been no reports of these security flaws being exploited in the wild.

Adobe has also resolved CVE-2017-3000, which is a random number generator vulnerability that could lead to information disclosure.

In addition, Adobe has also fixed a security flaw in the Shockwave Player. The vulnerability, CVE-2017-2983, affects the Windows platform running Adobe Shockwave versions and earlier. The security flaw is an insecure library loading (DLL hijacking) vulnerability which can lead to privilege escalation.

See also: Microsoft to delay its February patches to March 14

Adobe has thanked researchers from Palo Alto Networks, Nanyang Technological University, the Chromium Vulnerability Rewards Program and Trend Micro's Zero Day Initiative, among others, for disclosing the security issues.

The company strongly recommends that Windows, Macintosh, Linux and Chrome OS users still running Flash to update to the latest version as quickly as possible. If automatic updates are enabled they will be rolled out without the need for users to do anything other than accept the update.

In February this year, Adobe resolved 13 security problems, all of which permitted attackers to remotely execute code in its software.

JavaScript Threat: Outdated libraries pose security hazard:

JavaScript Threat: Outdated libraries pose security hazard
Show Comments