In the U.S., November has long been associated with patches – pumpkin patches, that is. This month, in the IT world, November is the month for patches of a different kind, far more of them than usual. Microsoft isn’t the only software vendor that came out with a gargantuan update release on Patch Tuesday; Adobe joined in, releasing only one update but that update fixes 18 separate vulnerabilities.
APSB14-24 is a Flash Player update that affects that application running on Windows/Internet Explorer, Mac OS X, Google Chrome, Linux, AIR Desktop Runtime, SDK and compiler, along with AIR for Android. The update is rated critical across all platforms, but it’s given a priority rating of 1 (top priority) for Flash Player on Windows and Mac and Flash Player for Google Chrome on Windows, Mac and Linux as well as Flash Player for IE 10 and 11 on Windows 8.0 and 8.1. The priority drops to a 3 for Flash Player on Linux and the Adobe AIR products.
These vulnerabilities really run the gamut, including memory corruption issues, use-after free vulnerabilities, a double free vulnerability, type confusion vulnerabilities, heap buffer overflow vulnerabilities, one information disclosure vulnerability, and a resolve permission issue.
The bad news is that all of the above types with the exception of the last two can be exploited to result in execution of arbitrary code. In all, fifteen of the eighteen are code execution vulnerabilities, by which an attacker could take control of the system. Two could be exploited to expose session tokens while one could be used to escalate privileges. All in all, something of a feast for attackers, so it’s obviously important to get this patch applied sooner rather than later.
Users of Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player 126.96.36.199 (14.9 MB). Users of Adobe Flash Player for Linux should update to Adobe Flash Player 188.8.131.528. Adobe Flash Player installed on Google Chrome and Internet Explorer for Windows 8.x will be automatically updated to the current version.
The good news is that, so far at least, there have been no reports of exploits of any of these vulnerabilities in the wild. Now that the word is out, though, we can be looking for the bad guys to take advantage of these holes to try to wind their ways into unpatched systems. These vulnerabilities were reported to Adobe by several different security researchers, including researchers from Google Project Zero, Verisign’s iDefense Vulnerability Contributor Program, Chromium Rewards Program, Microsoft Vulnerability Research, Venustech ADLAB, MicroTrend and KnownSec. One was reported by an individual, Nicolas Jody, and one was reported anonymously.
Because Adobe Flash is so widely installed and used on computers across all major operating systems, an attacker who targets it has the potential to do widespread damage. You might recall that last month, we reported on the availability of a commercial exploit kit called Fiesta that utilized a vulnerability in Flash, which Adobe fixed in their October updates. Staying a step ahead of the attackers is becoming increasingly difficult, as clever hackers come up with innovative ways to expose as many systems as possible to compromise.