Adobe Patches 52 Vulnerabilities in Flash Player

Adobe today pushed out an updated Flash Player that patched 52 vulnerabilities, most of which led to remote code execution on compromised machines.

The 52 flaws represent one of the biggest security updates in Flash this year, in what has been a busy time around the beleaguered software. Already, Adobe has had to push out emergency updates addressing zero day vulnerabilities under attack by criminals and APT attackers.

None of the flaws patched today are currently under attack in the wild.

The updated version, 22.0.0.209 for Windows, Mac OS X, Chrome, Internet Explorer and Edge, as well as 11.2.202.632 for Linux, replaces 22.0.0.192 and 11.2.202.626, respectively.

Thirty-three of the Flash Player patches resolve memory corruption vulnerabilities leading to remote code execution. A dozen use-after-free flaws were also addressed that exposed machines to code execution attacks. The update also patches a handful of type-confusion vulnerabilities and a heap buffer overflow flaw that open the door to code execution

Adobe also addressed a race condition and a security bypass flaw that led to information disclosure, a memory leak vulnerability and stack corruption bugs leading to code execution.

Adobe also published new versions of Acrobat and Reader, patching 30 vulnerabilities along the way. Users are urged to be at version 11.0.17 for the desktop version of both products on Windows and Mac OS X.

All but one of the vulnerabilities lead to code execution; most are memory corruption bugs along with integer and heap buffer overflows and a use after free flaw. There is also a flaw that allows for a bypass of restrictions on JavaScript API execution.

Finally, Adobe also updated its XMP Toolkit for Java, version 5.1.2 and earlier. Adobe said the update patches a flaw that led to information disclosure, and users are urged to update to version 5.1.3. The issue, Adobe said, is associated with the parsing of crafted XML External Entities in XMP Core.