Adobe released security updates on Tuesday that address two critical zero-day vulnerabilities in Flash Player that were identified in the recent Hacking Team leaks, as well as dozens of bugs in Acrobat and Reader and two flaws in Shockwave Player.
The Flash Player updates are for Windows, Macintosh and Linux and address CVE-2015-5122 and CVE-2015-5123, both of which are use-after-free vulnerabilities that can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
In a Flash Player security bulletin, Adobe referred to the bugs as critical and said it is aware of reports that exploits targeting the vulnerabilities have been published publicly.
The issue is so severe – researchers said CVE-2015-5122 has been incorporated into at least two exploit kits and is being actively exploited to distribute malware – that Mozilla blocked vulnerable versions of the Flash Player plugin in Firefox.
“We're glad Adobe has moved quickly to fix critical vulnerabilities in Flash,” Chad Weiner, director of product management with Mozilla, said in a statement emailed to SCMagazine.com on Tuesday. “The latest Flash update is now enabled by default in Firefox. On Monday, July 13, we disabled Flash by default in Firefox to protect our users from active exploits which were distributing malware.”
The Acrobat and Reader updates are for Windows and Macintosh and address a large number of vulnerabilities, some of which are considered critical and can potentially allow an attacker to take control of a vulnerable system, an Acrobat and Reader security bulletin said.
Among the issues that were fixed are buffer overflow, heap buffer overflow, stack overflow, integer overflow, memory corruption, and use-after-free vulnerabilities – all of which could lead to code execution. Additional flaws could lead to information disclosure, denial-of-service and privilege escalation.
The Shockwave Player updates are for Windows and Macintosh and address CVE-2015-5120 and CVE-2015-5121, two memory corruption vulnerabilities that could lead to code execution, a Shockwave Player security bulletin said.
Last week Adobe released Flash Player security updates to address CVE-2015-5119, another critical use-after-free vulnerability that came out of the Hacking Team leaks. Shortly after being disclosed, the bug was incorporated into at least three exploit kits and was observed being actively exploited by attackers.