Adobe has released an updated version of Flash Player that patches over a dozen vulnerabilities and has announced that their scheduled update for Acrobat and Reader will be postponed till September 15.
Adobe’s patch release today falls on Microsoft’s monthly, patch Tuesday, which is Microsoft’s scheduled security update program. Adobe’s Flash Player for Windows, Mac, and Linux are being patched for numerous remotely exploitable memory-based vulnerabilities.
Adobe has stated no vulnerabilities are begin exploited in the wild. Alongside, they released the affected versions of their platforms:
- Adobe Flash Player 18.104.22.168 and earlier versions
- Adobe Flash Player 22.214.171.124 and earlier 13.x versions
- Adobe Flash Player 126.96.36.1990 and earlier versions for Linux
- Adobe AIR desktop runtime 188.8.131.52 and earlier versions
- Adobe AIR SDK 184.108.40.206 and earlier versions
- Adobe AIR SDK & Compiler 220.127.116.11 and earlier versions
- Adobe AIR 18.104.22.168 and earlier versions for Android
Adobe has rated Flash Player 14 vulnerabilities as critical in its security rating for Windows, Mac, Linux and Internet Explorer 10 for Windows 8. Adobe rated Flash Player 11 vulnerabilities for Linux and Adobe Air vulnerabilities for all platforms a lower critical rating, and administrators can choose to update with their own judgement.
The disclosed ‘critical’ bugs allowed for remote code execution on a number of memory based vulnerabilities. Those include memory leakage vulnerabilities which could allow an attacker to bypass address space layout randomization (ASLR). Alongside, another six vulnerabilities address memory corruption vulnerabilities that could lead to code execution, including a use-after-free vulnerability, security-bypass vulnerability, a heap buffer overflow and another vulnerability that an attacker could abuse to bypass the same origin policy.
Adobe had previously planned to release their new versions of Adobe Acrobat and Reader alongside with their Flash security updates today, but have rescheduled to its later date of next Monday.
“This delay was necessary to address issues identified during routine regression testing,” Adobe said.
The scheduled update is reported to address critical vulnerabilities in Adobe Reader XI, Adobe Reader X, Adobe Acrobat XI, and Adobe Acrobat X next week.
Eight of the Adobe vulnerabilities were discovered by researchers of Google’s Project Zero, a team of elite security researchers Google put together to help secure the Internet.
Adobe products can be updated automatically from the Adobe Flash player website, beware or pre-cross-checked downloads.