Adobe Flash update closes several critical holes
Adobe has announced the release of an update for Flash Player on Windows, Mac, Linux, Android 3.x and 4.x, and within its own AIR runtime. The update addresses several critical vulnerabilities which involve memory corruption, stack overflows, integer overflows, security being bypassed, null dereferencing and binary planting (DLL hijacking). All, except the security bypass, could lead to code execution.
The updates also include a number of security enhancements on various platforms. The Windows version of Flash Player now offers a production version of "Flash Player Protected Mode for Firefox" which brings a sandbox to the running of Flash, making it harder for attackers to get at other processes.
On the Mac, Adobe has included silent background updating for Flash. A daemon is launched every hour to check for updates until it gets a response from Adobe's servers; once a response has been obtained, it then waits 24 hours before checking again. If an update is available it is silently installed, but users can override that behaviour from the Flash Player preferences (found within the OS X System Preferences). Adobe adds that it has also now signed Flash Player with its Apple Developer ID, ready for Mac OS X 10.8 ("Mountain Lion") and its new Gatekeeper feature.
Flash Player on Windows and Macintosh should be updated to version 11.3.300.257 and on Linux to 18.104.22.168; all earlier versions on the respective operating systems are vulnerable. The desktop updates are available from Adobe's Flash download or Flash distribution pages. For Android 4.x, users should update to version 22.214.171.124, and for Android 3.0, 126.96.36.199; these updates are available from the Google Play store. Adobe AIR should be updated to version 188.8.131.5210 from the AIR Download Center on Windows and Macintosh, and from the Google Play store on Android. Google Chrome users should see an update to version 19.0.1084.56 of the browser which includes the Flash update.