Thursday

Flash Flunks, Frequent Fixes Fail To Fortify

Despite a recent unscheduled fix, Adobe has issued further upgrades to mitigate a new exploit to their Flash Player that is "in the wild" (i.e it's out there). Adobe has recently scheduled its security updates to coincide with Microsoft's Patch Tuesday, but now it has issued out-of-band fixes twice in the last few weeks. Adobe's Flash player and Oracle's Java have been the bane of computer security for some time now, both are frequently patched and even more frequently exploited.
The company said that the Windows and Mac OS X builds of Flash Player 12.0.0.44 and earlier, and Flash Player 11.2.202.336 and earlier for Linux, must be upgraded to fix a trio of bugs.
Adobe said today's update will "resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498)", fix "a memory leak vulnerability that could be used to defeat memory address layout randomization [ASLR] (CVE-2014-0499), and squash "a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502)."
TheRegister

 

No comments :