Security updates for Flash and Air
Adobe has released new versions of its Flash Player to eliminate a number of critical vulnerabilities. The vulnerabilities are associated with several CVE numbers; CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280 are buffer overflows, CVE-2012-5279 is a memory corruption issue and CVE-2012-5278 is a security bypass; all of which are listed as potentially allowing an attacker to inject malicious code into the system. All the flaws were discovered by members of the Google Security Team.
The new versions of Flash for each platform are:
Plattform | Version | Source of the update |
Windows and Mac OS X |
11.5.502.110 | Adobe |
Linux | 11.2.202.251 | Adobe |
Android 4.x | 11.1.115.27 | Automatically over Google Play (Only for devices that had Flash installed before 15 August 2012) |
Android 3.x/2.x | 11.1.111.24 | Automatically over Google Play (Only for devices that had Flash installed before 15 August 2012) |
Google Chrome | 11.5.31.2 | Google (Chrome automatically updates) |
IE 10 (Windows 8 and Server 2012) | 11.3.376.12 | Windows Update / Microsoft |
Google Chrome's embedded Flash Player is being updated in the process of updating Google Chrome to version 23, also released today. The automatic delivery of Flash Player for Windows 8 has apparently not started yet.
Users who are unsure of what version of Flash they are running can use the Adobe test page which will disclose the Flash version on all platforms. The Windows version of the player is the highest priority level, which suggests that there are exploits for its vulnerabilities in the wild and that updates should be installed as soon as possible.
Adobe also updated its AIR runtime which includes Flash Player and the associated development kits. Version 3.5.0.600 is now the current version on all platforms.
Update (10:53) - Windows 8 updates are now being delivered to users.
(djwm)