Adobe releases 25 critical Flash patches
Adobe, Microsoft and Google have issued updates to their products to patch vulnerabilities in their various distributions of Adobe's Flash Player. Nearly all of the 25 critical vulnerabilities fixed by the updates were discovered by the Google Security Team. Adobe says that the Windows version of Flash Player is a "Priority 1" update which normally indicates that there is an exploit in the wild for one or more of the holes, but Adobe has not indicated that this is the case. Adobe does recommend that Windows users install the updates as soon as possible. The vulnerabilities are either characterised as buffer overflow or memory corruption vulnerabilities but no other details are currently available.
As Microsoft and Google have now embed Flash Player in their browsers, both have had to issue updates through their normal update channels. Microsoft has updated its Internet Explorer 10 web browser for Windows 8 and Windows Server 2012 to close these Flash holes through Windows Update. The company also probably closed the holes as quickly as it did as a reaction to previous criticism of the speed of its updates.
The embedded version of Flash in Google's Chrome was also updated with version 22.0.1229.92 of Chrome for Windows, Mac OS X and Linux in the browser's stable release channel. This release of Chrome also closes five other holes, one of which is rated critical and is due to a race condition in Chrome's audio device handling.
Updates for Flash Player and Air on other platforms have also been released with lower priorities, 2 for the Mac OS X Flash Player and 3 for everything else. In all, affected versions of Flash Player include any earlier than version 11.4.402.278 for Windows, version 11.4.402.265 for Mac OS X, version 220.127.116.11 for Linux, version 18.104.22.168 for Android 4.x and version 22.214.171.124 for Android 3.x and 2.x. Adobe AIR versions earlier than 126.96.36.1990 for Windows, Mac OS X and Android are also vulnerable. This includes version 188.8.131.520 and earlier of the Adobe AIR SDK and AIR for iOS devices.
As per Adobe's original recommendation, users are advised to install all of these patches as soon as possible. Windows, Mac OS X and Linux users can get the update appropriate for their system from the Flash Player Download Center or for a different system through another page on Adobe's web site. Users of Google's Chrome browser will be automatically updated to the latest version of the Flash Player component with the latest update. The patches for Internet Explorer will be delivered through the automatic Windows Update functionality.
It is very likely that the "day-before-patch-tuesday" release of the fixes was due in part to the Pwnium 2 security competition which will take place on Wednesday 10 October where security researchers will attempt to break the security provisions of popular browsers. Flash has previously been used as a rich source of vulnerabilities which can be used in tandem with other exploits to escape sandboxes and execute code on systems.
- Pwnium 2: Google pledges $2 million for Chrome exploits, a report from The H.