Adobe today released another sizeable security update for Flash Player, patching 13 vulnerabilities, none of which are being publicly exploited, Adobe said. All of them, however, expose Flash Player to remote attacks that would give a hacker access to the underlying system.
The most severe vulnerabilities impact Flash Player for Windows (including Flash Player for Internet Explorer 10 and 11 running on Windows 8 and 8.1), Mac OS X and Linux.
The majority of the bugs patched today involve memory corruption issues that can be leveraged in other attacks. Those include: a memory address randomization issue of the Flash heap for Windows 7 64 bit; stack and integer overflows, and memory corruption vulnerabilities that lead to code execution; and four use-after-free vulnerabilities and a memory leak issue that lead to code execution or a bypass of Address Space Layout Randomization (ASLR).
Also patched were a trio of vulnerabilities that bypass the same-origin policy if exploited, leading to information disclosure. A permission issue in the Flash broker for IE was also patched; if exploited that bug could be used to elevate privileges from low to medium integrity levels, Adobe said.
Finally, the updates address a vulnerability that if exploited, bypasses a fix for a cross-side request forgery vulnerability, CVE-2014-5333.
In early May, Adobe almost routine Flash update patched 18 vulnerabilities, all of which enable remote code execution.