Adobe released May 2015 security updates to patch critical vulnerabilities for products included Adobe Flash Player, Adobe Reader and Acrobat software. Adobe patches around 18 security vulnerabilities in Adobe Flash Player and AIR software for Windows, Mac OS X and Linux versions, addressing “vulnerabilities that could potentially allow an attacker to take control of the affected system,” according to Adobe.
Adobe Flash Player update addresses:
- Remote code execution vulnerabilities
- Memory corruption vulnerabilities
- Heap overflow vulnerability
- Integer overflow bug
- Confusion flaws
- Use-after-free vulnerability
- Time-of-check time-of-use (TOCTOU) race condition that bypasses Protected Mode in Internet Explorer
- Validation bypass issues that could be exploited to write arbitrary data to the file system under user permissions
- Memory leak vulnerabilities that could be used to bypass ASLR (Address Space Layout Randomization)
- Security bypass vulnerability that could lead to information leaks
Affected Adobe Flash Player Versions:
- Adobe Flash Player version 17.0.0.169 and earlier
- Adobe Flash Player version 13.0.0.281 and earlier 13.x versions
- Adobe Flash Player version 11.2.202.457 and earlier 11.x versions
- AIR Desktop Runtime 17.0.0.144 and earlier versions
- AIR SDK and SDK & Compiler 17.0.0.144 and earlier versions
Adobe Reader and Acrobat update addresses:
- Critical remote code execution vulnerabilities
- Use-after-free vulnerabilities
- Heap-based buffer overflow vulnerabilities
- Buffer overflow vulnerability
- Memory corruption vulnerabilities
Affected Adobe Reader and Acrobat Versions:
- Adobe Reader XI (11.0.10) and earlier 11.x versions
- Reader X (10.1.13) and earlier 10.x versions
- Acrobat XI (11.0.10) and earlier 11.x versions
- Acrobat X (10.1.13) and earlier 10.x versions
Adobe Acrobat Reader DC has not been affected in this security update.
The latest Adobe update also resolves:
- Various methods to bypass JavaScript API execution restrictions
- Memory leak issue
- Null-pointer dereference issue that could lead to denial-of-service (DoS) attacks
- Information disclosure bug in the handling of XML external entities that could lead to information disclosure
Adobe recommends users to accept automatic updates for Adobe Flash Player desktop runtime for Windows and Mac OS X when prompted or update manually via Adobe Flash Player Download Center.
Resource:
APSB15-10 Security Updates Available for Adobe Reader and Acrobat
APSB15-09 Security Updates Available for Adobe Flash Player