Tech

Adobe releases surprise security update: 23 critical vulnerabilities fixed

Why the rush? Speculation suggests the company may be coming too close for comfort to public disclosure dates.

Written by Charlie Osborne, Contributing Writer Sept. 22, 2015 at 1:51 a.m. PT

Adobe has issued an important security update which patches a total of 23 critical vulnerabilities in Flash Player.

On Monday, Adobe issued the firm's latest set of security updates, specifically targeting the Adobe Flash Player. The updates for Windows, Mac and Linux users address "critical vulnerabilities that could potentially allow an attacker to take control of the affected system," according to the software developer.

Adobe Flash Player Desktop Runtime and Adobe Flash Player Extended Support Release 18.0.0.232 and earlier, Adobe Flash Player for Google Chrome 18.0.0.233 and earlier, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 18.0.0.232 and earlier on Windows 10 and Adobe Flash Player for Internet Explorer 10 and 11 18.0.0.232 and earlier on Windows 8 and 8.1 are all impacted, as well as Adobe Flash Player for Linux versions 18.0.0.199 and earlier.

In addition, AIR Desktop Runtime 18.0.0.199 and earlier for Windows and Mac, AIR SDK 18.0.0.180 and AIR SDK & compiler 18.0.0.180 and earlier on Windows, Android and iOS and AIR for Android 18.0.0.143 and earlier are affected by this update.

The security flaws fixed in this update, all deemed critical, include a type confusion vulnerability, use-after-free flaws, buffer overflow issues and memory corruption vulnerabilities which could lead to remote code execution.

The update also resolves memory leak security flaws, stack corruption and stack overflow vulnerabilities as well as a security bypass vulnerability which could lead to information disclosure.

In addition, Adobe has added further defense to a mitigation barrier which prevents vector length corruptions, resolved a vulnerability which could be exploited to bypass the same-origin-policy and lead to information leaks and improved validation checks in order to reject content from vulnerable JSONP callback APIs.

Featured

Adobe recommends users accept automatic updates for the Chrome and Internet Explorer browsers relating to Flash. Users can also manually download updates from the Download Center. Users of the Adobe Flash Player Extended Support Release are encouraged to update to version 18.0.0.241.

There is an issue brought to light with this update, however. As noted by security expert Brian Krebs, those downloading new installations of Shockwave which bundle Flash are placing themselves at risk if they do not junk the software.

According to Krebs, the bundled Adobe Shockwave Player contains Flash 16.0.0.305, which is many versions behind the current patched version. This version contains a staggering 155 vulnerabilities which leave users completely exposed to backdoors, exploits, remote control and overall system compromise.

Within the security bulletin, Adobe has given credit to the Alibaba Security Research Team, Google Project Zero, HP's Zero Day Initiative, Google's Chrome Rewards Program and AddReality, among others.

Qualys CTO Wolfgang Kandek raised an interesting point in a forum post, noting the surprise update, as it is outside of the normal update cycle, may be due to "potentially disclosure deadlines [..] in play." If this is the case, Adobe has given users time to update before vulnerability details enter the public domain and potentially end up exploited by attackers.

Last month, Adobe fixed two critical flaws in Flash which were discovered due to the Hacking Team data breach. The exploits, zero-day vulnerabilities which allowed attackers to remotely control a computer, impacted Windows, Mac and Linux machines.