Last week, Adobe released a Flash Player update for Mac and other operating systems, updating the software to version 220.127.116.11. This update addresses three critical flaws that could potentially allow an attacker to remotely take control of the affected system; an exploit for CVE-2014-0502 exists in the wild.
Affected software versions include: Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh, Adobe Flash Player 22.214.171.1246 and earlier versions for Linux.
The Adobe Product Security Incident Response Team warned of a critical vulnerability, resolved in this update, which exists in the wild:
Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.
Graham Cluley on his blog noted a connection between the critical flaw and some sites that were compromised recently.
Anyone who has visited these websites in recent weeks is at a high risk of having had their computers infected, and the potential for data on their PCs to have been stolen.
Adobe’s security bulletin (APSB14-07) describes the three flaws patched in this update as follows:
- These updates resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498).
- These updates resolve a memory leak vulnerability that could be used to defeat memory address layout randomization (CVE-2014-0499).
- These updates resolve a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).
Users of Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh should immediately update to the new Adobe Flash Player 188.8.131.52. Users of Adobe Flash Player 184.108.40.2066 and earlier versions for Linux should update to Adobe Flash Player 220.127.116.111 as soon as possible. Adobe Flash Player 18.104.22.168 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 22.214.171.124 for Windows, Mac and Linux.