Adobe has updated Flash Player to address a total of four security holes. Windows and Mac users are advised to update their installations to version 18.104.22.168, while Linux users should update to variant 22.214.171.1240.
Google Chrome, Internet Explorer 10 and Internet Explorer 11 installations are automatically updated.
This vulnerability was reported by VUPEN at the Pwn2Own competition that took place recently alongside the CanSecWest security conference.
The second flaw, CVE-2014-0507, is a buffer overflow that could also result in code execution. This issue was disclosed at Pwn2Own 2014 by Zeguang Zhao and Liang Chen. As Kaspersky experts highlight, the bug was initially assigned CVE-2014-0510.
According to the description on NIST’s National Vulnerability Database, the bug “allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors.”
The updates also address a security bypass vulnerability (CVE-2014-0508) that could lead to information disclosure, Adobe revealed in its advisory. The issue was by Ben Venis.
Finally, a cross-site scripting (XSS) vulnerability has also been fixed. The XSS has the CVE identifier (CVE-2014-0509) and it was responsibly disclosed by Masato Kinugawa.
Some of the vulnerabilities are considered critical because they can be exploited by an attacker to take control of the impacted system.
There’s no evidence that these security holes are being exploited in the wild, but customers should apply the updates as soon as possible to prevent any unfortunate events.
In addition to the Flash Player updates, Adobe has also released new versions for adobe air. Adobe AIR 126.96.36.1998 SDK users are advised to update to the Adobe AIR 188.8.131.52 SDK.
Users of Adobe AIR 184.108.40.2068 SDK & Compiler and earlier variants should install Adobe AIR 220.127.116.11 SDK & Compiler. Android customers can update their installations from Google Play.
In its latest advisory, Adobe notes that starting with May 13, 2014, Flash Player 13 for Mac and Windows will replace Flash Player 11.7 as the extended support variant. As such, customers are recommended to upgrade to Flash Player 13 in order to receive future security updates.
At Pwn2Own, VUPEN also identified a critical vulnerability in Adobe Reader. However, that security hole remains unfixed, at least for now.