Adobe today pushed out an updated Flash Player that patched 52 vulnerabilities, most of which led to remote code execution on compromised machines.
The 52 flaws represent one of the biggest security updates in Flash this year, in what has been a busy time around the beleaguered software. Already, Adobe has had to push out emergency updates addressing zero day vulnerabilities under attack by criminals and APT attackers.
None of the flaws patched today are currently under attack in the wild.
The updated version, 22.214.171.124 for Windows, Mac OS X, Chrome, Internet Explorer and Edge, as well as 126.96.36.1992 for Linux, replaces 188.8.131.52 and 184.108.40.2066, respectively.
Thirty-three of the Flash Player patches resolve memory corruption vulnerabilities leading to remote code execution. A dozen use-after-free flaws were also addressed that exposed machines to code execution attacks. The update also patches a handful of type-confusion vulnerabilities and a heap buffer overflow flaw that open the door to code execution
Adobe also addressed a race condition and a security bypass flaw that led to information disclosure, a memory leak vulnerability and stack corruption bugs leading to code execution.
Adobe also published new versions of Acrobat and Reader, patching 30 vulnerabilities along the way. Users are urged to be at version 11.0.17 for the desktop version of both products on Windows and Mac OS X.
Finally, Adobe also updated its XMP Toolkit for Java, version 5.1.2 and earlier. Adobe said the update patches a flaw that led to information disclosure, and users are urged to update to version 5.1.3. The issue, Adobe said, is associated with the parsing of crafted XML External Entities in XMP Core.
via Threatpost | The first stop for security news http://bit.ly/29vWypW