Adobe Flash Hit By Dozens Of Critical Flaws

Adobe has warned that its Flash software is vulnerable to more than two dozen “critical” security vulnerabilities, most of which could allow an attacker to take over a user’s computer.

The bugs include an integer overflow bug, several use-after-free vulnerabilities, and security bypass and memory corruption issues; these affect Flash Player software on the Windows, Mac OS, Linux and Chrome OS platforms, Adobe said.

Critical bugs

The company published updates for the affected software and urged users to install them immediately.

“These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said in an advisory.

Users can obtain the updates by using the software’s built-in download mechanism or by visiting Adobe’s website.

Several of the bugs were discovered by researchers who reported them through programmes that pay cash for vulnerabilities, including Trend Micro’s Zero Day Initiative and the Chromium Vulnerability Rewards Programme, highlighting the growing importance of such schemes in keeping software secure.

Others were found by Project Zero, a Google team dedicated to uncovering previously unknown bugs, Microsoft Vulnerability Research, Palo Alto Networks and other groups.

Zero-day IE flaw

Separately, Microsoft in its monthly security update said it had patched a bug that could allow attackers to execute malicious code on a user’s system if the user merely views a specially crafted web page, amongst other vulnerabilities.

“An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user,” Microsoft stated. “If the current user is logged on with administrative user rights, an attacker could take control of an affected system.”

Computer security experts said the attention around both the Adobe and Microsoft vulnerabilities makes them all the more worth patching immediately.

“It’s not unusual to see online criminals taking a close interest in the security patches issued by the likes of Adobe and Microsoft, and launching attacks to exploit the newly-disclosed vulnerabilities against end users and corporations,” said security expert Graham Cluley in an advisory.

Adobe’s Flash technology has become a favoured target of attackers due to its broad installation in web browsers, and is due to be succeeded by capabilities built into the HTML5 language.

A study published in June, however, that the transition to HTML5 is unlikely to prevent the types of attacks that currently exploit Flash bugs, since attackers can easily design similar attacks that don’t require Flash.

Are you a security pro? Try our quiz!